6ac60661b77578060a8e5c120cfae45dc18071fcb6b28ae0de0aa731b457de85

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
Size

1.3MB
MD5

5cd8c0f5ea9bd4af32d88781e9e6e79e
SHA1

ebf56a158d9fe0b0bc0d8484783a90247c99d404
SHA256

6ac60661b77578060a8e5c120cfae45dc18071fcb6b28ae0de0aa731b457de85
SHA512

020e584dd45ace006c39ba674a1d1ff6dec913d52ebd98eb49dd0e5a5ecd7e967cb0b9de142fdbf0a530f1b44279bd94849b646f54df7d3980a8ceb20fbf911f
SSDEEP

24576:i2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedxSkQ/7Gb8NLEbeZ:iPtjtQiIhUyQd1SkFdkkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2568	alg.exe
2780	aspnet_state.exe
2004	mscorsvw.exe
2772	mscorsvw.exe
1324	elevation_service.exe
2836	GROOVE.EXE
1192	maintenanceservice.exe
1888	OSE.EXE
932	OSPPSVC.EXE
2368	mscorsvw.exe
2072	mscorsvw.exe
1112	mscorsvw.exe
2316	mscorsvw.exe
1216	mscorsvw.exe
1932	mscorsvw.exe
1192	mscorsvw.exe
3004	mscorsvw.exe
2272	mscorsvw.exe
1548	mscorsvw.exe
324	mscorsvw.exe
2144	mscorsvw.exe
1472	mscorsvw.exe
1600	mscorsvw.exe
2936	mscorsvw.exe
2228	mscorsvw.exe
2832	mscorsvw.exe
1176	mscorsvw.exe
2544	mscorsvw.exe
796	mscorsvw.exe
2372	mscorsvw.exe
2016	mscorsvw.exe
1332	mscorsvw.exe
2908	mscorsvw.exe
2296	mscorsvw.exe
1520	mscorsvw.exe
2528	mscorsvw.exe
3068	dllhost.exe
1688	ehRecvr.exe
2944	ehsched.exe
1916	IEEtwCollector.exe
616	msdtc.exe
1632	msiexec.exe
1960	perfhost.exe
1592	locator.exe
2500	snmptrap.exe
2668	vds.exe
844	vssvc.exe
2496	wbengine.exe
1948	WmiApSrv.exe
1736	wmpnetwk.exe
1364	SearchIndexer.exe
2584	mscorsvw.exe
2876	mscorsvw.exe
940	mscorsvw.exe
2100	mscorsvw.exe
340	mscorsvw.exe
736	mscorsvw.exe
2040	mscorsvw.exe
1616	mscorsvw.exe
2104	mscorsvw.exe
1596	mscorsvw.exe
1484	mscorsvw.exe
672	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1632	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found
340	mscorsvw.exe
340	mscorsvw.exe
2040	mscorsvw.exe
2040	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
1112	mscorsvw.exe
1112	mscorsvw.exe
2724	mscorsvw.exe
2724	mscorsvw.exe
888	mscorsvw.exe
888	mscorsvw.exe
1908	mscorsvw.exe
1908	mscorsvw.exe
1864	mscorsvw.exe
1864	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
756	mscorsvw.exe
756	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
1080	mscorsvw.exe
1080	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2771d9488ab55808.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP72A1.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4818.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B1D56A1B-F911-4FB8-B5A0-AB9A27DB14D7}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP11DC.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP207C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP50CF.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1B2E.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{54FE3058-EB55-473B-A26D-29CBC2E07297}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0c34405e0cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b1f407e0cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0037afddfcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0aad406e0cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a007e407e0cdda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1952	ehRec.exe
2780	aspnet_state.exe
2780	aspnet_state.exe
2780	aspnet_state.exe
2780	aspnet_state.exe
2780	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeDebugPrivilege	2568	alg.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2780	aspnet_state.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: 33	3004	EhTray.exe
Token: SeIncBasePriorityPrivilege	3004	EhTray.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeSecurityPrivilege	1632	msiexec.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeDebugPrivilege	1952	ehRec.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeBackupPrivilege	2496	wbengine.exe
Token: SeRestorePrivilege	2496	wbengine.exe
Token: SeSecurityPrivilege	2496	wbengine.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeDebugPrivilege	2780	aspnet_state.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: 33	3004	EhTray.exe
Token: SeIncBasePriorityPrivilege	3004	EhTray.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeManageVolumePrivilege	1364	SearchIndexer.exe
Token: 33	1364	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1364	SearchIndexer.exe
Token: 33	1736	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1736	wmpnetwk.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2772	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3004	EhTray.exe
3004	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3004	EhTray.exe
3004	EhTray.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1424	SearchProtocolHost.exe
1424	SearchProtocolHost.exe
1424	SearchProtocolHost.exe
1424	SearchProtocolHost.exe
1424	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe
2044	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2368	2772	mscorsvw.exe	37
PID 2772 wrote to memory of 2368	2772	mscorsvw.exe	37
PID 2772 wrote to memory of 2368	2772	mscorsvw.exe	37
PID 2772 wrote to memory of 2072	2772	mscorsvw.exe	38
PID 2772 wrote to memory of 2072	2772	mscorsvw.exe	38
PID 2772 wrote to memory of 2072	2772	mscorsvw.exe	38
PID 2004 wrote to memory of 1112	2004	mscorsvw.exe	39
PID 2004 wrote to memory of 1112	2004	mscorsvw.exe	39
PID 2004 wrote to memory of 1112	2004	mscorsvw.exe	39
PID 2004 wrote to memory of 1112	2004	mscorsvw.exe	39
PID 2004 wrote to memory of 2316	2004	mscorsvw.exe	40
PID 2004 wrote to memory of 2316	2004	mscorsvw.exe	40
PID 2004 wrote to memory of 2316	2004	mscorsvw.exe	40
PID 2004 wrote to memory of 2316	2004	mscorsvw.exe	40
PID 2004 wrote to memory of 1216	2004	mscorsvw.exe	41
PID 2004 wrote to memory of 1216	2004	mscorsvw.exe	41
PID 2004 wrote to memory of 1216	2004	mscorsvw.exe	41
PID 2004 wrote to memory of 1216	2004	mscorsvw.exe	41
PID 2004 wrote to memory of 1932	2004	mscorsvw.exe	42
PID 2004 wrote to memory of 1932	2004	mscorsvw.exe	42
PID 2004 wrote to memory of 1932	2004	mscorsvw.exe	42
PID 2004 wrote to memory of 1932	2004	mscorsvw.exe	42
PID 2004 wrote to memory of 1192	2004	mscorsvw.exe	43
PID 2004 wrote to memory of 1192	2004	mscorsvw.exe	43
PID 2004 wrote to memory of 1192	2004	mscorsvw.exe	43
PID 2004 wrote to memory of 1192	2004	mscorsvw.exe	43
PID 2004 wrote to memory of 3004	2004	mscorsvw.exe	44
PID 2004 wrote to memory of 3004	2004	mscorsvw.exe	44
PID 2004 wrote to memory of 3004	2004	mscorsvw.exe	44
PID 2004 wrote to memory of 3004	2004	mscorsvw.exe	44
PID 2004 wrote to memory of 2272	2004	mscorsvw.exe	45
PID 2004 wrote to memory of 2272	2004	mscorsvw.exe	45
PID 2004 wrote to memory of 2272	2004	mscorsvw.exe	45
PID 2004 wrote to memory of 2272	2004	mscorsvw.exe	45
PID 2004 wrote to memory of 1548	2004	mscorsvw.exe	46
PID 2004 wrote to memory of 1548	2004	mscorsvw.exe	46
PID 2004 wrote to memory of 1548	2004	mscorsvw.exe	46
PID 2004 wrote to memory of 1548	2004	mscorsvw.exe	46
PID 2004 wrote to memory of 324	2004	mscorsvw.exe	47
PID 2004 wrote to memory of 324	2004	mscorsvw.exe	47
PID 2004 wrote to memory of 324	2004	mscorsvw.exe	47
PID 2004 wrote to memory of 324	2004	mscorsvw.exe	47
PID 2004 wrote to memory of 2144	2004	mscorsvw.exe	48
PID 2004 wrote to memory of 2144	2004	mscorsvw.exe	48
PID 2004 wrote to memory of 2144	2004	mscorsvw.exe	48
PID 2004 wrote to memory of 2144	2004	mscorsvw.exe	48
PID 2004 wrote to memory of 1472	2004	mscorsvw.exe	49
PID 2004 wrote to memory of 1472	2004	mscorsvw.exe	49
PID 2004 wrote to memory of 1472	2004	mscorsvw.exe	49
PID 2004 wrote to memory of 1472	2004	mscorsvw.exe	49
PID 2004 wrote to memory of 1600	2004	mscorsvw.exe	50
PID 2004 wrote to memory of 1600	2004	mscorsvw.exe	50
PID 2004 wrote to memory of 1600	2004	mscorsvw.exe	50
PID 2004 wrote to memory of 1600	2004	mscorsvw.exe	50
PID 2004 wrote to memory of 2936	2004	mscorsvw.exe	51
PID 2004 wrote to memory of 2936	2004	mscorsvw.exe	51
PID 2004 wrote to memory of 2936	2004	mscorsvw.exe	51
PID 2004 wrote to memory of 2936	2004	mscorsvw.exe	51
PID 2004 wrote to memory of 2228	2004	mscorsvw.exe	52
PID 2004 wrote to memory of 2228	2004	mscorsvw.exe	52
PID 2004 wrote to memory of 2228	2004	mscorsvw.exe	52
PID 2004 wrote to memory of 2228	2004	mscorsvw.exe	52
PID 2004 wrote to memory of 2832	2004	mscorsvw.exe	53
PID 2004 wrote to memory of 2832	2004	mscorsvw.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 240 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 294 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a0 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 298 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1ac -NGENProcess 1b8 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 250 -NGENProcess 104 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 228 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1b8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 104 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1b8 -NGENProcess 104 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 25c -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 104 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 104 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 278 -NGENProcess 25c -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 104 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 104 -NGENProcess 254 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 288 -NGENProcess 278 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 270 -NGENProcess 290 -Pipe 104 -Comment "NGen Worker Process"
  2⤵
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 290 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 268 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 27c -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a8 -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 2c8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c8 -NGENProcess 27c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 27c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 27c -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2e0 -NGENProcess 2e4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2c4 -NGENProcess 2fc -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 2e4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2e4 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f8 -NGENProcess 2c4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2ec -NGENProcess 2d0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 310 -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2d0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2c4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2d0 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e8 -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 32c -NGENProcess 31c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 324 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 324 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 31c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 314 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 324 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 31c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 348 -NGENProcess 354 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 340 -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 31c -NGENProcess 314 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 33c -NGENProcess 360 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 244 -NGENProcess 314 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 364 -NGENProcess 324 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 314 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 354 -NGENProcess 364 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 354 -NGENProcess 36c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 374 -NGENProcess 364 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 360 -NGENProcess 348 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 324 -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 380 -NGENProcess 354 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 354 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 36c -NGENProcess 384 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 324 -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 39c -NGENProcess 38c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 384 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 38c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 384 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a4 -NGENProcess 3b4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 39c -NGENProcess 324 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 39c -NGENProcess 3a4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 38c -NGENProcess 324 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3a4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 324 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3b0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3a4 -NGENProcess 3cc -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3dc -NGENProcess 3b0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3b0 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3ec -NGENProcess 3d0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f4 -NGENProcess 3d4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:1484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1324

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1192

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1520

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1688

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3004

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1364
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
1a75adc83c57f35438c39b13262d1b99

SHA1
d455c90f900d7975416f73cc45bfa8abf941c901

SHA256
83d323c855fb34ab6690f7913bbf591de5b2276535eb501ff720c4e374ac9898

SHA512
0b3760528c5bf084bda1a86da1dc3424d860d86e1aaf78a8dcc91e5e47e5892aeb778f526989f2ba1f9853627567d113beb43bdf2c9641fe6458d4f82a25613d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
17b3a89a3a12a2a664bf1ed11887a2db

SHA1
60841314cf84eb21ceee7152cfe54afcd093ad73

SHA256
db85eb2d49dd59a8619d25331e1fc91bda6d6cd36ac3d6e5af77fcca28da3ea0

SHA512
1f73c907a9a56e7b0b4b0089d78d1c1e5057dd36265f70c966a9f142064703534372e57424e4fabe2b7d1b217790b1a9b9f76614a9a23fd72c273743577a173e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
25e5c161950cd18edf24d8a17062c16e

SHA1
31f12d4a4658d1d5ae80b3e91530444ea3b38db4

SHA256
31ffc7408d405cac59e810e2c715574e7cd011764270410a40c5561c226df0ef

SHA512
2ac530170a4d05b900ed93de8167564098afffc200c2fbdd506b43a51d0651fbc8597b770a2a423cd3a1a9b25dd08fc5b5e75f2cf202e212d0515e56175cf802

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ac3cecd31fcbc627d24bfc908ee4e69c

SHA1
06edfde738ed5b19f45e08ac53e6e7e608bdaeb0

SHA256
646e622f6aee9dd88ebe25637cf23e47c8cffc887fd499236e3c6d35afebe889

SHA512
dd50bba7e0758a9525eae5f2b10a222a262f65b734a16f0bcd1de5a189448e349370d5a0d28d2a1b44e342d463bda87aa3e985b182bf99ed22e588bb2bbd071f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1653d2e607bfcf7e29e3505bc5d016e3

SHA1
aca227d05834c690a9432645c8fec9e342993789

SHA256
76acd51415378a9d26bc3080af4fd2bb528ff89b42dd5ffc0d223f4c5d227d71

SHA512
e853662a1be09bfa309cd20abb21b431963a9dd52c44ae65d03d7ae0d6a080531bf70ef59092b17993d01437c7a579dd28c9e98eb315004bdf99f6d4bf92e718

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6055cf892a89d7a80ac91f0125a0a6fa

SHA1
5af1dedba22b09023d03de76835bc4768bc83c6c

SHA256
c7ce31c965c402bd66d9dc2e42f0bcc29779308c94a2d0885da493349d464b99

SHA512
cc37c0078e792b93ac75d4dc4469dab3cfde4dfe9c64af8a4c0284b183f9ea9949baf11b3cef646e778af91ea9b7f4fe4d82a531098cac595ffbe335a841ed6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
38db9720b1e44dfe053ecb9a19a26b8a

SHA1
c686c8e046ba5a276c705d253f7558764d818eb9

SHA256
69a6318c3aa5ddc6858e3d4647af953caeb8f0fed2cbd178493a6912f6ebaedb

SHA512
1cc477ac4976ede2e1724f40c49e47145521733a13b22fb3971094982c3178c5db1cb5d1d4a4c33aa69229f6158fe4a36ceaf1b14435263c87f02354a7bdee2b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
39ea9c4c91039e094f6d3b8526d2be9b

SHA1
3cb2a5860cca5cd2c59b5310aad9e946507280dd

SHA256
e716d2a0a9a70f59ec501af567bd3cb4be97564a0ca914c1d26b9eb707a94f78

SHA512
036013b63821a142d84d1576554363f4c429d25c9aab6aaac1abd214f5be3395890a200e692e11d77d42d48695ca5c5aeb92d0a8f797dab23bbeedb6200cb718

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
389895c2930112512be42f562cab1b09

SHA1
f323305d43d695456b3eb6c74af3203d753b9475

SHA256
21984db06501348db2ee8f3d7b8b3b02cb6c6dddc6517cd7c581be24501e6e63

SHA512
e7511097b200adddd1d2b350a10c8304377108f2c6afa24326c16ee05908008ad6e2d198e5aef9391bb1701b8c3ccd28fe3eaa13926a22f53a1303f86026ea91

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f6f2c7c9b0ce66e89fe082fb2dba9c47

SHA1
867889f585c83e14bc965802a3de660dd56bbc38

SHA256
e353c59b76a443d51332f70efefd7c376698b6b3948e051c2b297dc8412da0dd

SHA512
f7dfcd31d197ea169072fbfa516c077511a1d422676a9564ce2bb991d027329da1c4002a9594d00495d21b2c7cecdae4877d43076aaea5f04f74f9148557f925

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
77372b900f1227ada7990761f0bc6088

SHA1
876bef17f4261b19802732f39dcd1ca0ab37d08b

SHA256
93ad4eb29fc1e81d371aafcbd66a819b9b15dfb265aeb9c45872262d474f141a

SHA512
047a65e82c6fba64a36b042d57988c9284f8da30f5cc874c05a64c37b4eda89d0d84a17bd224746ec43509169d5bfd217f9c22c9209b7b47bec3d78cea03bbc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
dbddc5ae3ac79c13a25cff5a5d2ab3c1

SHA1
f490b93487ce9f1827cf759b9e1d678ba9f7edf9

SHA256
2edff336fbba51bbacf24fca67ea9ee2c8154684ef114d0b7ac603fd000e50d2

SHA512
58854a1d56dffec3269748b7c30160d3384c38733c72671fd5a18e58688770e9ec238830c8e2737724370018c2d2bbf539ba531f2f535a2a5a887e5adf785e86

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c4a5ff92db35ad03c7107fccd1a8d0d0

SHA1
cd26a4d55610822afade522d055122fd8f08f5ce

SHA256
ff288f59da60a272c572102698d9c1fbd2a02523e6ee80746c0865e4aefae43f

SHA512
b82f38905560f7a957140977d6fa238df3cf55bb37120643f45d3c6e5ae6bd5a37137e03434f09befe9721a2be958b22078d0950369fe0f1a04ac462d9f32536

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
f9cc10fc0756cd5cbf682037bb3906ab

SHA1
ee8a112129a3ddbc5769404d7366f58bfbf2b7ed

SHA256
9ea83380d936a48d65d97782cafb6926ed01a2ec296ed1936ec9d8cd8797b84f

SHA512
cc3d7211caaf3efce147031546add2c3d9073ab2ecdf7821c7589d675e3c60c9fbfdeed2f12cba97bb9d86c8a17d2e1e6e860b702a2f9c9c7d91c0345a311bef

Download Submit
C:\Windows\Temp\Cab9B85.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarA084.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5b669fb0d0550318c9c709e5a3d5adc6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
a7ecfbf69c7ad947956d560457c1b8f9

SHA1
6f6d7acc89f11fc60d0efadb961474253aa99914

SHA256
fda743c27bdc345a35d8f1c8e26d3ced870adede9c9f591dab4742424276a149

SHA512
ca894d8b0188ec1a6e38a064188f1b6731c45a1d4cf1d8459950dd7d1b0579696c9028bcc6ebe6101d9029cc06522fb7edb01494acd0f1918bb31ab2a185e57c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d3c6ad069137b4f9e599d94d77b1bd9f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
efd2fc8a42d7b624e59888cc1e09f62e

SHA1
050b17bea48e65a17d1a50f92b1307b2a6d9b6d5

SHA256
6798106949ffa5dee667f187594c74e107e770ac289dcd5a4cbb4e46c62af385

SHA512
0cf113e628c62df8f68301fb0d1f7b54b2a7e84ff0154b383bae91aca3b49d89c7ca8cb5e086c3da45cd3deda9133c8b0402705b354d433ecdacb7e0346acc69

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f80f4ca04bb216898814d4877bf31d71\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
674fb5e7c5c0af8a7c4c0972c198405e

SHA1
c84515f16c0e66a5076c8be4866e717b558b5487

SHA256
010cdb4a9ab3a26d9056c7f2e0eb3a47fcbb3e881484279f31b192eb1d81046c

SHA512
190f5116885e4311346e47d757e96c1a2d21696015e09af1dfbd8a69e31e774ee5f4155ac48ec4738cdc60ebe793118c8b46ab5e71c7818ab066d4b0357f466e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
71f2cb8c5b450ee205bcb9772c5f9653

SHA1
880e92937644ad48d01be7eb1b8342fbda4b7ec9

SHA256
9f2a389e459028aa6d7764e5525014e884af15bb245b9f61b5fe04f583daccd7

SHA512
f506e66d570493f744eef2505e08a968e4a940246cacbaea59518d81a9119572ac1930e75a67912c50cf028f7f46fef242d3de6ffe950b6b9ea7716e22d7dea2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
9f50dda47f1dc11f8d258f48cb4922b4

SHA1
a7f8edfe33cf7db1c60e5aa25a4ae36231d25ba2

SHA256
4d2b09274a00b5034ac66a6292dba1c644334fe8ab416e9502d01602213c401d

SHA512
d5124784f663eb8f65dbd43425f8e74aaeb96f01a8ed811d57e53b4cd6ae2797d0062696c7c3877894949e873435feda0f97d9875c344dde88e71ddfab2019e5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
31cfb1d4f358c83a04198a8d8159e51e

SHA1
974ed998641f25ff381fc7164df13d06f2933252

SHA256
e4f0748f2e423ab930684ac1c466755e94172ca866dadb5e973390553838345d

SHA512
43bb4c3041f74a6e0a55727abc22d57b94aa8f273dd21f73552cda554ff6f355d39434e2834a5c9e6b0443d540fe16138e5beb2904cf1ede183ecf29411402d0

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
418eba3b8c68f1c48fcc0c7ee144812e

SHA1
01240ee453c622120d9b9861151e7def945e1cc6

SHA256
e8239b0635607a0996984c11f07190ca5edf362432875650615213bd1bfbbc59

SHA512
103f27062f7098023f15f8ae06d66ef87a86214aa99b2b0606804d1f359a7796fee224461457f77092cbdf44885f661b1342ef4f7cb3906284edb5c7f7c30e44

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ff1399c8a8b960b6ff5a7d16cda56989

SHA1
4689bb1535a3fc7fa1e4b0a48f536de480b3d350

SHA256
9537f2d2e390becde1842076d887fdd3a5c226134a025ac2acc3ec11da0010c2

SHA512
918b4b4d9f0cd84997a4fc3c20935ab267e19c6314666e3e4f1405131b134befc08be9641520ab8c173148eaa0bd009dbae469c9653752b8ba171ad090b12fb8

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
65707ceb20db34be9efe57ee4cb97676

SHA1
39282a3617f11b2ba2592f12d03268cc13f32142

SHA256
e46bcaaaeff220908d39f8c253d30f766eea0d70d17c0f2993bdc5a558e039e5

SHA512
e5aa658b42a2e23ec0512912046bbb979606bf4fbb83b45c29ee6215ca8fbff0e3142a4241523ed18ef47c0f25201f83cc561964bf8b45253fd114d48d1d3bcf

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
cff63026d4ce3813ebbcfeb1ac093296

SHA1
13ba987aa19909e721e30d6b243ad8f70f92eb90

SHA256
9b1259a94dc44314516d118d3c84ae4d83530dcc102d12ebacb1a012e55a5a10

SHA512
0782b9c299b4e4e144ff5d3efebbf617a820dc17993be28697bcedf598fd37bec2443df897c292a84058150e6419f7f3d36da115c8df16084df6c63fa59a0970

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8c6b147a873a4dd80a6e588564c579c5

SHA1
1c12cf1b3e78b0534690ded9349dd08b3c5e6bf2

SHA256
10414189fadacf48d1af20bc38beffdb3a2c0feb39cb4d680d4b6934fb4868be

SHA512
1f1f67e0c77d9b648edad713e43894613126e4f1c105e169b3ab24b3956776e3f4bc66616c69619fcc7d6dfa3dddc74f36ec12f70ce964967090178745907fbf

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
5cabad07282e5f7baaa4a7ff23dfe507

SHA1
19b83c2e8e97b19afad21cc07efb527b3d59d87d

SHA256
a9ed3b881cc8394d05182ebbde677160fb8db9b94e7acfbef2e9a81233c1d5c5

SHA512
a7952428d4cc9e866cae2977ee0d102a4e04844ced56b9bcf4593929b740b4fea300b24010cc98a76f203b2089996f184292268af67b86f2609131c61c659d47

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a94503faacca20b547c4f62adceb7412

SHA1
df00e159ba44424c7df5b9b673ecc84c6dd148ec

SHA256
8345601a2a9fa779402dea31c7b496f3837bca864246238387f49714d6703d07

SHA512
dc7710f98eeea04fd65a5f982cabf21215d2409ca7433b2bf9ca6ce19d1c34663d460b44f2eec57a41cc0ab84f93f36d9aa32db7f29fb7f732cc7f63abb27733

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d557419696db00b54774354cea4e4cfa

SHA1
c6909ab2ded3ff0c5c71da33686d9c7c64c9fc53

SHA256
ca500d15244f414e6668b84a7ebf08a5f8cfcdc58a63430bea8dacd1c0de3cbd

SHA512
5c008966ca3eb1372861e3f2f97dd0988a681d77d8c02c00093353be40f779c1f06e5ece4bb552e390fbbd9556ed1badcbf27bb60bfbef4b0197f25eca144401

Download Submit
memory/324-418-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/324-433-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/340-973-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/340-974-0x00000000018D0000-0x00000000018DC000-memory.dmp

Filesize
48KB

Download
memory/616-693-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/616-908-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/796-532-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/796-543-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/844-775-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/932-129-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/932-395-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1112-296-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1112-274-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1176-501-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1176-520-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1192-100-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1192-94-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/1192-368-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1192-377-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1192-102-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1192-117-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1216-323-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-354-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1324-73-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1324-315-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1324-80-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1324-79-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1332-571-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1332-567-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1472-451-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1472-447-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1520-632-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/1520-598-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/1548-407-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1548-421-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1592-740-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/1600-459-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1600-463-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1632-715-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/1632-911-0x00000000005D0000-0x0000000000719000-memory.dmp

Filesize
1.3MB

Download
memory/1632-910-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/1632-716-0x00000000005D0000-0x0000000000719000-memory.dmp

Filesize
1.3MB

Download
memory/1688-650-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1688-766-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1888-107-0x00000000003B0000-0x0000000000416000-memory.dmp

Filesize
408KB

Download
memory/1888-380-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/1888-114-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/1916-689-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1916-899-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1932-367-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1932-356-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1960-719-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2004-235-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2004-44-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2004-50-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/2004-45-0x0000000000610000-0x0000000000676000-memory.dmp

Filesize
408KB

Download
memory/2016-546-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2016-566-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2072-236-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2072-245-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2100-958-0x00000000019E0000-0x00000000019F6000-memory.dmp

Filesize
88KB

Download
memory/2100-955-0x0000000001980000-0x000000000198E000-memory.dmp

Filesize
56KB

Download
memory/2100-956-0x00000000019C0000-0x00000000019CC000-memory.dmp

Filesize
48KB

Download
memory/2100-957-0x000000001AE00000-0x000000001AE48000-memory.dmp

Filesize
288KB

Download
memory/2144-431-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2144-446-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2208-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2208-6-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2208-1-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2208-27-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2228-493-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2272-396-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2272-409-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2296-592-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2316-326-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2316-301-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2368-143-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2368-238-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2372-555-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2496-787-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2500-745-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2528-661-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-614-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2544-524-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2544-518-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2568-106-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2568-29-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2568-19-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2568-14-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2668-764-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2772-65-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2772-57-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2772-63-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2780-33-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2780-34-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2780-40-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2780-120-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2832-593-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2832-494-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2832-497-0x0000000003C70000-0x0000000003D2A000-memory.dmp

Filesize
744KB

Download
memory/2836-84-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/2836-92-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2836-89-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/2836-355-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2908-582-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2936-475-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2936-471-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2944-786-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2944-665-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3004-387-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3004-381-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3068-643-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download