3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
Size

1.8MB
MD5

509ade752b6bbb7ea26cbf241a6bb110
SHA1

a27b1b295522c806fa19743f8b20d57d36ee1699
SHA256

3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25
SHA512

1afa9a9965c595515b794ac25c898d6716128cd5ad0e6c744608fae1c2d6468a629b5af2bd219ba313944beb00f206cc5175ccfda521ca80d428447c9a715347
SSDEEP

49152:1x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVkQ/qoLEw:1vbjVkjjCAzJeqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2740	alg.exe
2060	aspnet_state.exe
2548	mscorsvw.exe
2384	mscorsvw.exe
2132	mscorsvw.exe
2008	mscorsvw.exe
1840	ehRecvr.exe
692	ehsched.exe
1520	elevation_service.exe
1896	IEEtwCollector.exe
1604	GROOVE.EXE
816	maintenanceservice.exe
2556	OSE.EXE
1312	mscorsvw.exe
1316	mscorsvw.exe
872	mscorsvw.exe
2040	mscorsvw.exe
1060	mscorsvw.exe
684	mscorsvw.exe
2588	mscorsvw.exe
2260	mscorsvw.exe
2416	mscorsvw.exe
2384	mscorsvw.exe
2552	mscorsvw.exe
1140	mscorsvw.exe
1596	mscorsvw.exe
1500	mscorsvw.exe
2748	mscorsvw.exe
824	mscorsvw.exe
1320	mscorsvw.exe
2516	mscorsvw.exe
2512	mscorsvw.exe
3020	mscorsvw.exe
2552	mscorsvw.exe
1580	mscorsvw.exe
2216	mscorsvw.exe
2332	mscorsvw.exe
2768	mscorsvw.exe
2392	msdtc.exe
1352	msiexec.exe
2480	perfhost.exe
2528	locator.exe
2548	snmptrap.exe
2848	vds.exe
2676	vssvc.exe
2768	wbengine.exe
1732	WmiApSrv.exe
2824	wmpnetwk.exe
2608	SearchIndexer.exe
2456	mscorsvw.exe
1984	mscorsvw.exe
1072	mscorsvw.exe
2180	mscorsvw.exe
3064	mscorsvw.exe
828	mscorsvw.exe
1484	mscorsvw.exe
2436	mscorsvw.exe
2652	mscorsvw.exe
1184	mscorsvw.exe
2304	mscorsvw.exe
2328	mscorsvw.exe
2884	mscorsvw.exe
2136	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1352	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
732	Process not Found
3064	mscorsvw.exe
3064	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
2652	mscorsvw.exe
2652	mscorsvw.exe
2304	mscorsvw.exe
2304	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
2336	mscorsvw.exe
2336	mscorsvw.exe
2616	mscorsvw.exe
2616	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
1200	mscorsvw.exe
1200	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
2544	mscorsvw.exe
2544	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\56b0f4cad264f17b.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\goopdateres_en-GB.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\goopdateres_ca.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\psmachine_64.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\GoogleUpdateBroker.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\psmachine.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\goopdateres_sw.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\GoogleCrashHandler.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\goopdateres_sr.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42CA.tmp\goopdateres_nl.dll	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE8C9.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B1F.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF22C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFA66.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2868	ehRec.exe
2060	aspnet_state.exe
2060	aspnet_state.exe
2060	aspnet_state.exe
2060	aspnet_state.exe
2060	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: 33	2368	EhTray.exe
Token: SeIncBasePriorityPrivilege	2368	EhTray.exe
Token: SeDebugPrivilege	2868	ehRec.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: 33	2368	EhTray.exe
Token: SeIncBasePriorityPrivilege	2368	EhTray.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeDebugPrivilege	2740	alg.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2060	aspnet_state.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeBackupPrivilege	2768	wbengine.exe
Token: SeRestorePrivilege	2768	wbengine.exe
Token: SeSecurityPrivilege	2768	wbengine.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeDebugPrivilege	2060	aspnet_state.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeManageVolumePrivilege	2608	SearchIndexer.exe
Token: 33	2608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2608	SearchIndexer.exe
Token: 33	2824	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2824	wmpnetwk.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe
Token: SeShutdownPrivilege	2132	mscorsvw.exe
Token: SeShutdownPrivilege	2008	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2368	EhTray.exe
2368	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2368	EhTray.exe
2368	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
1140	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1312	2132	mscorsvw.exe	45
PID 2132 wrote to memory of 1312	2132	mscorsvw.exe	45
PID 2132 wrote to memory of 1312	2132	mscorsvw.exe	45
PID 2132 wrote to memory of 1312	2132	mscorsvw.exe	45
PID 2132 wrote to memory of 1316	2132	mscorsvw.exe	46
PID 2132 wrote to memory of 1316	2132	mscorsvw.exe	46
PID 2132 wrote to memory of 1316	2132	mscorsvw.exe	46
PID 2132 wrote to memory of 1316	2132	mscorsvw.exe	46
PID 2132 wrote to memory of 872	2132	mscorsvw.exe	47
PID 2132 wrote to memory of 872	2132	mscorsvw.exe	47
PID 2132 wrote to memory of 872	2132	mscorsvw.exe	47
PID 2132 wrote to memory of 872	2132	mscorsvw.exe	47
PID 2132 wrote to memory of 2040	2132	mscorsvw.exe	48
PID 2132 wrote to memory of 2040	2132	mscorsvw.exe	48
PID 2132 wrote to memory of 2040	2132	mscorsvw.exe	48
PID 2132 wrote to memory of 2040	2132	mscorsvw.exe	48
PID 2132 wrote to memory of 1060	2132	mscorsvw.exe	49
PID 2132 wrote to memory of 1060	2132	mscorsvw.exe	49
PID 2132 wrote to memory of 1060	2132	mscorsvw.exe	49
PID 2132 wrote to memory of 1060	2132	mscorsvw.exe	49
PID 2132 wrote to memory of 684	2132	mscorsvw.exe	50
PID 2132 wrote to memory of 684	2132	mscorsvw.exe	50
PID 2132 wrote to memory of 684	2132	mscorsvw.exe	50
PID 2132 wrote to memory of 684	2132	mscorsvw.exe	50
PID 2132 wrote to memory of 2588	2132	mscorsvw.exe	51
PID 2132 wrote to memory of 2588	2132	mscorsvw.exe	51
PID 2132 wrote to memory of 2588	2132	mscorsvw.exe	51
PID 2132 wrote to memory of 2588	2132	mscorsvw.exe	51
PID 2132 wrote to memory of 2260	2132	mscorsvw.exe	52
PID 2132 wrote to memory of 2260	2132	mscorsvw.exe	52
PID 2132 wrote to memory of 2260	2132	mscorsvw.exe	52
PID 2132 wrote to memory of 2260	2132	mscorsvw.exe	52
PID 2132 wrote to memory of 2416	2132	mscorsvw.exe	53
PID 2132 wrote to memory of 2416	2132	mscorsvw.exe	53
PID 2132 wrote to memory of 2416	2132	mscorsvw.exe	53
PID 2132 wrote to memory of 2416	2132	mscorsvw.exe	53
PID 2132 wrote to memory of 2384	2132	mscorsvw.exe	54
PID 2132 wrote to memory of 2384	2132	mscorsvw.exe	54
PID 2132 wrote to memory of 2384	2132	mscorsvw.exe	54
PID 2132 wrote to memory of 2384	2132	mscorsvw.exe	54
PID 2132 wrote to memory of 2552	2132	mscorsvw.exe	65
PID 2132 wrote to memory of 2552	2132	mscorsvw.exe	65
PID 2132 wrote to memory of 2552	2132	mscorsvw.exe	65
PID 2132 wrote to memory of 2552	2132	mscorsvw.exe	65
PID 2132 wrote to memory of 1140	2132	mscorsvw.exe	56
PID 2132 wrote to memory of 1140	2132	mscorsvw.exe	56
PID 2132 wrote to memory of 1140	2132	mscorsvw.exe	56
PID 2132 wrote to memory of 1140	2132	mscorsvw.exe	56
PID 2132 wrote to memory of 1596	2132	mscorsvw.exe	57
PID 2132 wrote to memory of 1596	2132	mscorsvw.exe	57
PID 2132 wrote to memory of 1596	2132	mscorsvw.exe	57
PID 2132 wrote to memory of 1596	2132	mscorsvw.exe	57
PID 2132 wrote to memory of 1500	2132	mscorsvw.exe	58
PID 2132 wrote to memory of 1500	2132	mscorsvw.exe	58
PID 2132 wrote to memory of 1500	2132	mscorsvw.exe	58
PID 2132 wrote to memory of 1500	2132	mscorsvw.exe	58
PID 2132 wrote to memory of 2748	2132	mscorsvw.exe	59
PID 2132 wrote to memory of 2748	2132	mscorsvw.exe	59
PID 2132 wrote to memory of 2748	2132	mscorsvw.exe	59
PID 2132 wrote to memory of 2748	2132	mscorsvw.exe	59
PID 2132 wrote to memory of 824	2132	mscorsvw.exe	60
PID 2132 wrote to memory of 824	2132	mscorsvw.exe	60
PID 2132 wrote to memory of 824	2132	mscorsvw.exe	60
PID 2132 wrote to memory of 824	2132	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe
"C:\Users\Admin\AppData\Local\Temp\3568755fb8f420f0fa5401f67b51d1d949e193bd9b97a7e4e21828e4b0bacd25.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 264 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d8 -NGENProcess 1f0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 264 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f0 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 294 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 240 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 240 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 288 -NGENProcess 224 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 208 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 224 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 208 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 224 -NGENProcess 208 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1d0 -NGENProcess 21c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 21c -NGENProcess 258 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2a0 -NGENProcess 208 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 208 -NGENProcess 1d0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 29c -NGENProcess 258 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 258 -NGENProcess 2a0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a4 -NGENProcess 1d0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1d0 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 264 -NGENProcess 2a0 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a0 -NGENProcess 2a4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 29c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 264 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b4 -NGENProcess 2a4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2bc -NGENProcess 264 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 264 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2c4 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 294 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 248 -NGENProcess 2b4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2b4 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 248 -NGENProcess 2e4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c8 -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2c8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2bc -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 300 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 328 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 330 -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 328 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 320 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 320 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 320 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 328 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 378 -NGENProcess 320 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 35c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 360 -NGENProcess 310 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 310 -NGENProcess 360 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 384 -NGENProcess 35c -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 358 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1bc -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1840

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:692

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1896

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:816

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1140
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:2576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
2009921acaf3a213c6d3aa622d64c555

SHA1
63e22314152eaee3c028d9206b02d78b3ec187a0

SHA256
6985f28706d7c941173d3d685d06d3b38dcbac4ed3b837eb7265d93f5b596ba3

SHA512
a67e67cd406c723d7988da6d36f553ad69550cfa0062c3b728960bfad3b723a59680f430d59417568debf656425b7cab9442a58db57f7d4ef6f240e48fd8b891

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
82322cd17d3fd1a7054c89a7a666601c

SHA1
26a41579c23affb48e7ab7e7d7ea048912c376f9

SHA256
32401f0deedff28f05256c48f448939226aa15e858c8b650fc2ddc5c0b39f533

SHA512
affd388007565e007688742ca3d3d1bd9863866b74b0d13e3271682333a2b02f1fd55cb4a128e00d60364aa0e3506a1f6327a53f733f4fdb9e9843e51d49f978

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
662622d560e157036c1707fb9535f5c9

SHA1
ea5774206698e2a37ff457aeacccc216d5ca6fa9

SHA256
2c8b3a30e250c767631d703ef46c796758cc54bd8e3483af2851fad52eba354a

SHA512
3a7383dec7d3f3c0953efbfaa1cf33aab283bf51f5dae49bc392ba38d79f39d5ba09ee0e55b10fcf4b864c6b5b88033d24ad5961bf2a62097f755f1eea7624bb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c65333f4b69dfd1ed33f7089712486eb

SHA1
80fd5067aea9cb4de7a11ebb685d59f5373f6e9d

SHA256
0b5bcb6ebef7e35554c20ae6804a1c3ba218dc514c54348e02a8dc2e8ad11b5d

SHA512
7693442452bfe6545fa4fc50e485b45e253df6cc1fc69aa3f965e1bf217302ecac0fc9ff9c22935fa1349a1b3e97c3aa50af8a7d84dc5c84d3ad546d343cb6ba

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
1d935a3ed22d7d200cbf33aba8d2080e

SHA1
f56b448f781ec8cca312cfaabf358ae8a7f67eee

SHA256
1e7f45fa665678e57bfdda4f624fe40435c7041b2ea1d22d777baef3a0a646f1

SHA512
5256c935d53559af6dd0a4c051407dd4def831ed13b54a773e4d966e5090cd3558d5d314dca491bc412e922fe1c44def9a0b39fc4dccac719e66074a8df0efa3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
5b569aa9780f0038499dad6c3d8976eb

SHA1
279818d6f704e95161357d39f121ade76e0d268d

SHA256
e68a80b6d60506f126be18c21dce49625ae7a22b91b579464e41699602747180

SHA512
f32561d2824ed5fc2215e5610427938742b72134895c4e5ae8bdbeec4c9961b0e040b756494f3f9d117a87e5524e9fe655b39af7c71cab5bb3e3c6ca35d6cd9d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
98c7c1bbfb11573c5c232a8ff68a7860

SHA1
0d5d4595294b25e4c253edab57a5cfdd300cacb3

SHA256
4c8d3088133c70382fb913514f73e0121e36699f58e1a27a0c28989698202113

SHA512
0f10fb2053a389fc96cf3ed37607d6f8626fc20c99c17ad14f51c99c962f21d7925e98ce1cb2d0af3abf30d3d5eeae3825001ff1d57755a49436f58a6a5743d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
573919c90cc4da8aa1aa6418fb737bd9

SHA1
7322287fce20dae99e5e9229b06f9a527ff8ac14

SHA256
674433089ebeee056aba852f5277b240db5025a1cacc284162d0643994c0ae54

SHA512
c54c07ea783cd2c75fcc0b6965c19ea216f7ffa341bd0e27c1c18018ade2c59855ad3bc7147c8eec79e771145c8be7296d7a8a7a5de11a6b5e89742ded310b24

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c7e57b3d58b2587d048d49fdf6c8cfac

SHA1
dfd110940fcc87d6ab55a16b47b89b6ddf4420e0

SHA256
fdb1226509bd0091c8e16f2947ce0d5d875fe996f710949ea5335e1344439bed

SHA512
31142816a3e9d6d3847f44e741688223018a80ea899178b2b08c956ddab911f6fb986ec81e202b9c449adde163f87c5b3be52d8813e7cc2c2737e5f03c884edf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
2d8b886692b52d7ac665e5d4cfe1302e

SHA1
6e89a15e5951a65efff32f3b45b18da28feb1989

SHA256
48475c45f7888f1646361837b0af9b4224a69224f358e1460503a23facd0c686

SHA512
47778b7d44841f5a74af9d709ccd2cd16cfbbc2cf905d87f1f7cb8cc4ae05ea6b551345e4b47ff861248c7335495ea2a2f550dcb7a7f3445581291d2e40eb3cf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
88112443b0ce3b1f1a081c8f8e953e2b

SHA1
ec16b418999d3b803274323466db5b5e55fac913

SHA256
0af42a43b46d629e3eb19cdb4a6fcf6460b1cff4b5f9e222119d46d04f99a81d

SHA512
3330b48f1c04d983803c890c35a2e8a50f14fee76c217a7547bf9a001a9bc0c69eb972c67b8c10b0b3c89138014203494c7f45135d8caefee473be3b3f4a231e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
6b1b175df22c754012957586ab931c7d

SHA1
bd81d0b51af37a0fb6064e73ad89038941c92590

SHA256
628f527bc38db897c212d01680c1457743dcf8d3df77a912cb0c598ae027d9aa

SHA512
46a3fb9f69fcd42d8e3b29d68de7343da1acf5517d1e520c5c678ce18855d5accf14d961434fd8035ce697ae12bba7809c6bed298622aa11d2a5f386a67e5b2f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
236fb2e3f90158ec72cc5ce2b683dc9b

SHA1
523c6ea07fe53a2321a787965579fba70d277f6b

SHA256
626368974460e64716e958929bcd07c36098585e4fdd51851ece1cdbce24fa04

SHA512
7da43586878dfef3fa03de33b5049f204fe6766a975a5a6ee7e8cd69ab8633cc0c570e8a2bd3474de9160624324f914477591b0d4dd8706f2cb30f2cc652ec8b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0978df4abd399bca2594f8a285d9c097\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
1bce1677949b4224e1d1b994c75e2d53

SHA1
5d9c6f80b95ff0581ff9e381806769aab94035e3

SHA256
9071d1717777551676d44b1e60a194edaaad266be848fcd58cf1db002e2e88bc

SHA512
2d0466943bfa52abd92eea23db037e6a67fee1d2298b98c0b75076488c6203f89a9820cf94859b2abb78a0b700e5225d19919956bd50efbe3616fab3872598fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d7b29d7797fefd80a8f77c98eebddc11\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
a03c831cb51ed63213ead308a53d7354

SHA1
4f6a9189d8d56bf2449235f23cc2278bf5132b51

SHA256
130ee203551dc5378ec6c5f3a6408aa0c9f2b03e8b31ea980926f645344d939e

SHA512
ba28351932abfb7d03e01b81a6face909a573335850846507fe274b48a0ead697c71cd4743ebfa4acd8f5809ef0cecaabc43b0aea45c6d9d29fad836e5965bc0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B1F.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll

Filesize
187KB

MD5
6cad3e51ab8b4cf239261690e984cb85

SHA1
0234c9ca3bd2eb462b9a105461c91fb19c7d697b

SHA256
a237f9ca234e42acefe3db2d54af1fa4fe4eef1f3984913b6801e8ebca89d360

SHA512
7788948a56dd0e32382fe0cc0d8a81e6a0249d4e3c6881363ae2138e25a69737e8dfbc31c9fcfaee5f20844156b4e3e22073553ef25eb846272db8b879edf65c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
cc9df85a90bf73a2eeef52b5c7c8aaba

SHA1
5400f4273adc2c77be98211ffcc6c29374e91576

SHA256
84b984599d2dc7db4125ad89e759c7ea883a943f5763f8d9a90b48583241ec1b

SHA512
3b057d5471f4e1240a96b322063c7359d1b0b2cde799228da85c5b1cef07c527a6fc533a40901e560a4aefd36f0157e25802687e6c43b8bff8eae354639f3e9f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
04bd8386aaedab90e634ebb8be0c024a

SHA1
47eb97c5b08a1d701253cfa725473bf7ef9531ab

SHA256
081516a0961ae9c4d7f727d7893c36e924748a978d894d4b64d228f093f7bdc7

SHA512
3d1cac0e2fdf992d4d6a5653cc98ec2bc1a0a476abfaab9b77620c837c4fb8246e2c30f93cc63b2d2c34b5b95f5ff59417b45e44dd4edee47ad71d9cadc7cb43

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
b75900b43a8b72dfe6ed2fe8081a4bb3

SHA1
1e8bea76aad31a76924562c470f2d6f8ac3dd59b

SHA256
237f4caf9ba325198d78faf3acaaedcdc1e06b2f4c86343cf6f762f35174d5c9

SHA512
b058cb18fe2798d92b9849050cbf28c13ae0adc0d076ff558e0a9d4e3005ec48592ef0243243b537ab9bf3e5eeb6387bb0751c3d5444536a0fe79fc9190cb225

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
0dad56a0541f5d7246d4e0b8c1e71a23

SHA1
db78b84f3b35f1cb44c9e4458c5715427620e7d4

SHA256
d4e20c7007b6e00201fb582826b892fc500b87a98042e50c2f3b0f037fd56f4b

SHA512
a16f5bcc735384b319bdedb15daed918d9e41ab40b534caf4887dc6f04a29825745b9a1dd4f17243dc63e52d920fec45acc3ebc3a4bf2d749ec41e76cb3879d6

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
20674b9fc78ec17688784e1f8b577e59

SHA1
a3965873eef716b634aa664fdd08842000e29065

SHA256
a74c334642a28af47457c7d52b02814ce41ec0bd801b449d7c275ced1216c59d

SHA512
8f078f50c43027a020d6ba5a909114061150eded0de954b130f68aeffbf9ee721b44e02d4a5333763562812ca191e0a34c8ef347828bdcdd118d8daabb65c39f

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
579640c3878474e6ba12f8c77d0b2270

SHA1
96a1f146ca099a642978aa023a1823971d9542c2

SHA256
69c67debdea4276e71ad4bb18862e13e05fba411d9f591a66af1aabd12f8889d

SHA512
05d6ccb7c9f963592411d7325aa07650dbadce05ac126f4d7e5dc336f6076c84ebbed0ab3a72c915cd1c00c86f087a6ce0c34a631b4efe33265b79fe6587c264

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
1e219875757fddac38a99facb7860d24

SHA1
6ff84727afc9c80cd977afce35dcac0bfc9fb391

SHA256
1f8723a2a06ea9f7a9bc47dcd473e7bb0f13ff5cde0691342471ba0da6d0a11c

SHA512
9047b39cb14faa6da1a2802094177ecd79c0890b2132150798caeaa6bd290ebda5f33ab49563fb2092f4a1f49501198d5f1808b5d7cc016be98f8c38eeee3772

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
363f22654794b414687d346f89c75065

SHA1
fe8a395c4f3f4cead56291fc8dad22841a5a6f9d

SHA256
fe586a26b4daf8247d556b7d822052633c91dff9f499053b01a23e073ade0c38

SHA512
f89e97a2319b5bc5396070f57b40c95c0f2f1dd15ae272fc7d0caebb39f669af9359ca4e9977db1f64736efd03caf9d78a1f2bff97213a119afb51b498369ddf

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
5941e5d41d4dd313fb013c75b13f8d4b

SHA1
3028a2abb2cbcc20fbeb9450359bd3fa4310ceb9

SHA256
00a3460b32a88209f8a36569bd095de9e1049ccfdc10e8cb0582013841e80ed2

SHA512
ba4eb4d3b8a9dc3c19feee8a96228ad1ff60f3a98026aae4e6058c10ac18f06374e8bfd780b0c8fb67ab64365becfbdb98f3048e563b59eac471dd0572a8f248

Download Submit
memory/684-510-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/684-518-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/692-193-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/692-473-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/692-806-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/816-322-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/816-342-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/824-692-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/872-428-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/872-472-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-506-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1140-613-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1140-608-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1312-358-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1312-392-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-430-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-406-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1320-705-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1320-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1352-838-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1352-939-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1500-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1500-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1520-485-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1520-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1580-770-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1596-637-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1604-239-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1604-509-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1732-924-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1840-184-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1840-816-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1840-417-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1840-177-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1840-178-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1896-220-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1896-497-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1896-811-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2008-395-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2008-166-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2008-165-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2008-159-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2040-484-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2060-103-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2060-102-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2060-97-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2060-215-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2060-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2132-956-0x0000000001270000-0x000000000128E000-memory.dmp

Filesize
120KB

Download
memory/2132-1038-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2132-1009-0x0000000001270000-0x0000000001314000-memory.dmp

Filesize
656KB

Download
memory/2132-1024-0x0000000001E90000-0x000000000202E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-1037-0x0000000001270000-0x000000000135C000-memory.dmp

Filesize
944KB

Download
memory/2132-350-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2132-145-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2132-969-0x0000000001270000-0x00000000012FC000-memory.dmp

Filesize
560KB

Download
memory/2132-140-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2132-941-0x0000000001E90000-0x0000000001E9A000-memory.dmp

Filesize
40KB

Download
memory/2132-958-0x0000000001270000-0x000000000128A000-memory.dmp

Filesize
104KB

Download
memory/2132-139-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2156-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-158-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-312-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-8-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/2156-1-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/2216-775-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2260-553-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2260-578-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2332-799-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2384-122-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2384-597-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2384-130-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2384-188-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2384-124-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2392-825-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2392-936-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2416-555-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-579-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2480-853-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2512-735-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2512-717-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-718-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2528-864-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2548-876-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2548-115-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/2548-108-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/2548-107-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2548-156-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2552-609-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-759-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-340-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2556-567-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2588-552-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2608-940-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2676-896-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2740-192-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2740-39-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2740-40-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2740-31-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2748-659-0x0000000003C40000-0x0000000003CFA000-memory.dmp

Filesize
744KB

Download
memory/2748-672-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2768-802-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2768-914-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2768-788-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2824-938-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2848-886-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/3020-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download