c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a

Analysis

max time kernel
138s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
Size

1.8MB
MD5

cf4cc4baf1be7a3fc780de85b390b7db
SHA1

bad149c0bb4c0e2e1b7405c6b83a25713a3bd5a4
SHA256

c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a
SHA512

c8f8b082accdf87985914504bfd6e6499cab9b7c3cf332eb4e62978bec8323f51b1abbe1e05a562f6384457534de2ac022f7a046a68a9e7583efee32556a8534
SSDEEP

49152:vx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAIgDUYmvFur31yAipQCtXxc0H:vvbjVkjjCAzJiU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
2764	alg.exe
1804	aspnet_state.exe
2232	mscorsvw.exe
1692	mscorsvw.exe
1460	mscorsvw.exe
2076	mscorsvw.exe
2816	ehRecvr.exe
1616	ehsched.exe
1640	elevation_service.exe
2836	GROOVE.EXE
2552	maintenanceservice.exe
2448	OSE.EXE
900	mscorsvw.exe
2136	mscorsvw.exe
2348	mscorsvw.exe
1712	mscorsvw.exe
2744	mscorsvw.exe
2732	mscorsvw.exe
1988	mscorsvw.exe
2132	mscorsvw.exe
1920	mscorsvw.exe
812	mscorsvw.exe
876	mscorsvw.exe
1612	mscorsvw.exe
2348	mscorsvw.exe
2960	mscorsvw.exe
2980	mscorsvw.exe
2256	mscorsvw.exe
2888	mscorsvw.exe
1464	mscorsvw.exe
2308	mscorsvw.exe
1964	mscorsvw.exe
2296	mscorsvw.exe
112	mscorsvw.exe
2596	mscorsvw.exe
2228	mscorsvw.exe
2964	mscorsvw.exe
2600	IEEtwCollector.exe
2308	msdtc.exe
1048	msiexec.exe
2644	perfhost.exe
2032	locator.exe
2900	snmptrap.exe
1368	vds.exe
2128	vssvc.exe
2828	wbengine.exe
2484	WmiApSrv.exe
2264	wmpnetwk.exe
108	SearchIndexer.exe
1656	mscorsvw.exe
1408	mscorsvw.exe
2896	mscorsvw.exe
2992	mscorsvw.exe
1632	mscorsvw.exe
2664	mscorsvw.exe
1972	mscorsvw.exe
1656	mscorsvw.exe
2248	mscorsvw.exe
2992	mscorsvw.exe
2456	mscorsvw.exe
1608	mscorsvw.exe
1700	mscorsvw.exe
556	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
1048	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
744	Process not Found
1632	mscorsvw.exe
1632	mscorsvw.exe
1972	mscorsvw.exe
1972	mscorsvw.exe
2248	mscorsvw.exe
2248	mscorsvw.exe
2456	mscorsvw.exe
2456	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
1296	mscorsvw.exe
1296	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
1556	mscorsvw.exe
1556	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
2592	mscorsvw.exe
2592	mscorsvw.exe
2944	mscorsvw.exe
2944	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
1660	mscorsvw.exe
1660	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d1c3c8f6d264f17b.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_fa.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_nl.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_sr.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_vi.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_bg.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\GoogleCrashHandler64.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_it.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\GoogleUpdateOnDemand.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_fi.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_is.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\SuspendRead.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_sk.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\GoogleCrashHandler.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_sv.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\GoogleUpdateBroker.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_en.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\goopdateres_hr.dll	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1DFC.tmp\GoogleUpdateSetup.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP38A.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28D5.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAC3.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP118E.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25AA.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP712.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{84C72EBA-7DFA-41EB-9899-46339528FA80}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b7f3714bd5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020a6c8734bd5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000604bee774bd5da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2656	ehRec.exe
1804	aspnet_state.exe
1804	aspnet_state.exe
1804	aspnet_state.exe
1804	aspnet_state.exe
1804	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1656	c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: 33	1028	EhTray.exe
Token: SeIncBasePriorityPrivilege	1028	EhTray.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeDebugPrivilege	2656	ehRec.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: 33	1028	EhTray.exe
Token: SeIncBasePriorityPrivilege	1028	EhTray.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeDebugPrivilege	2764	alg.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1804	aspnet_state.exe
Token: SeRestorePrivilege	1048	msiexec.exe
Token: SeTakeOwnershipPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeBackupPrivilege	2128	vssvc.exe
Token: SeRestorePrivilege	2128	vssvc.exe
Token: SeAuditPrivilege	2128	vssvc.exe
Token: SeBackupPrivilege	2828	wbengine.exe
Token: SeRestorePrivilege	2828	wbengine.exe
Token: SeSecurityPrivilege	2828	wbengine.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeDebugPrivilege	1804	aspnet_state.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: 33	2264	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2264	wmpnetwk.exe
Token: SeManageVolumePrivilege	108	SearchIndexer.exe
Token: 33	108	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	108	SearchIndexer.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	2076	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1028	EhTray.exe
1028	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1028	EhTray.exe
1028	EhTray.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe
1516	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 900	1460	mscorsvw.exe	43
PID 1460 wrote to memory of 900	1460	mscorsvw.exe	43
PID 1460 wrote to memory of 900	1460	mscorsvw.exe	43
PID 1460 wrote to memory of 900	1460	mscorsvw.exe	43
PID 1460 wrote to memory of 2136	1460	mscorsvw.exe	44
PID 1460 wrote to memory of 2136	1460	mscorsvw.exe	44
PID 1460 wrote to memory of 2136	1460	mscorsvw.exe	44
PID 1460 wrote to memory of 2136	1460	mscorsvw.exe	44
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 1712	1460	mscorsvw.exe	46
PID 1460 wrote to memory of 1712	1460	mscorsvw.exe	46
PID 1460 wrote to memory of 1712	1460	mscorsvw.exe	46
PID 1460 wrote to memory of 1712	1460	mscorsvw.exe	46
PID 1460 wrote to memory of 2744	1460	mscorsvw.exe	47
PID 1460 wrote to memory of 2744	1460	mscorsvw.exe	47
PID 1460 wrote to memory of 2744	1460	mscorsvw.exe	47
PID 1460 wrote to memory of 2744	1460	mscorsvw.exe	47
PID 1460 wrote to memory of 2732	1460	mscorsvw.exe	48
PID 1460 wrote to memory of 2732	1460	mscorsvw.exe	48
PID 1460 wrote to memory of 2732	1460	mscorsvw.exe	48
PID 1460 wrote to memory of 2732	1460	mscorsvw.exe	48
PID 1460 wrote to memory of 1988	1460	mscorsvw.exe	49
PID 1460 wrote to memory of 1988	1460	mscorsvw.exe	49
PID 1460 wrote to memory of 1988	1460	mscorsvw.exe	49
PID 1460 wrote to memory of 1988	1460	mscorsvw.exe	49
PID 1460 wrote to memory of 2132	1460	mscorsvw.exe	50
PID 1460 wrote to memory of 2132	1460	mscorsvw.exe	50
PID 1460 wrote to memory of 2132	1460	mscorsvw.exe	50
PID 1460 wrote to memory of 2132	1460	mscorsvw.exe	50
PID 1460 wrote to memory of 1920	1460	mscorsvw.exe	51
PID 1460 wrote to memory of 1920	1460	mscorsvw.exe	51
PID 1460 wrote to memory of 1920	1460	mscorsvw.exe	51
PID 1460 wrote to memory of 1920	1460	mscorsvw.exe	51
PID 1460 wrote to memory of 812	1460	mscorsvw.exe	52
PID 1460 wrote to memory of 812	1460	mscorsvw.exe	52
PID 1460 wrote to memory of 812	1460	mscorsvw.exe	52
PID 1460 wrote to memory of 812	1460	mscorsvw.exe	52
PID 1460 wrote to memory of 876	1460	mscorsvw.exe	53
PID 1460 wrote to memory of 876	1460	mscorsvw.exe	53
PID 1460 wrote to memory of 876	1460	mscorsvw.exe	53
PID 1460 wrote to memory of 876	1460	mscorsvw.exe	53
PID 1460 wrote to memory of 1612	1460	mscorsvw.exe	54
PID 1460 wrote to memory of 1612	1460	mscorsvw.exe	54
PID 1460 wrote to memory of 1612	1460	mscorsvw.exe	54
PID 1460 wrote to memory of 1612	1460	mscorsvw.exe	54
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2348	1460	mscorsvw.exe	55
PID 1460 wrote to memory of 2960	1460	mscorsvw.exe	56
PID 1460 wrote to memory of 2960	1460	mscorsvw.exe	56
PID 1460 wrote to memory of 2960	1460	mscorsvw.exe	56
PID 1460 wrote to memory of 2960	1460	mscorsvw.exe	56
PID 1460 wrote to memory of 2980	1460	mscorsvw.exe	57
PID 1460 wrote to memory of 2980	1460	mscorsvw.exe	57
PID 1460 wrote to memory of 2980	1460	mscorsvw.exe	57
PID 1460 wrote to memory of 2980	1460	mscorsvw.exe	57
PID 1460 wrote to memory of 2256	1460	mscorsvw.exe	58
PID 1460 wrote to memory of 2256	1460	mscorsvw.exe	58
PID 1460 wrote to memory of 2256	1460	mscorsvw.exe	58
PID 1460 wrote to memory of 2256	1460	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe
"C:\Users\Admin\AppData\Local\Temp\c5eb4991a16834c7cfe64f5f44c8b36d43f9bb72eec114db3e86f10243d03a9a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 254 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 240 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 24c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 264 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 248 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 298 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 29c -NGENProcess 268 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 240 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2a8 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 2a0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 23c -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 22c -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 2a0 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1c4 -NGENProcess 220 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 220 -NGENProcess 22c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2b0 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 25c -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 22c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 22c -NGENProcess 2b0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 240 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 27c -NGENProcess 240 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 240 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2b4 -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 298 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 298 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c4 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 27c -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 120 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 2fc -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 2dc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 1f0 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2ec -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 1f0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2ec -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 1f0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2ec -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 1f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2ec -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 1f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 32c -NGENProcess 2ec -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 348 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 34c -NGENProcess 2f4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 32c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 348 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f4 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 32c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 348 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 2f4 -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2816

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:2708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
9490225d376ae094b73d439be1980566

SHA1
d0dc53949da2bb078f5ebb3743f0db0d1721e329

SHA256
09861c89d872b1e82b7173393af24d2484fcc7c2e953be3f2bc2f3e5087bdd50

SHA512
388eb646ac28c3b044d1cbe15cc7617d945c123e2b52f41f7ffcd5a415ab6a5db1669ad49e27bb1142d8fb04c531bdb97f4840710567030f01dabf48a0db31ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5675682dc8f3350f32e6866ef0468c11

SHA1
1a4b38fcdc213c7bb8e117b1b4c770b330897481

SHA256
0e571c03d7114ea38e262b751a80025167dcd65de1789b8043a8ff8ac150e8e4

SHA512
2b4a130f375d58ef6f12ba22763ab758a597d85a0e5311048151a7a305ff2a04c32ea5cf2b898af6913abe438ea09c7dfe3792a74c267a71d565b66a0dd48a8f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7776041bd1d7e028b5115024cef8095d

SHA1
376c789cfd91ef3d362fd577645cc2ed91c5f3cb

SHA256
faa483fb040f8beb9c7ddcd4d962599f39bd182f7201236b126b8962c2ba2a64

SHA512
ae82a916e6b2ac9c162223f0efc81f0bb3add6dc56043a3826f14250186d5ee268e1a83423a0ac3463588585cd269997a584d54f08dc3eddfc62e8f59e3171c7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
680d67f0d01766bb7e09bbf2781680b2

SHA1
1b9d00a5fe6a5e5d8311f287a497d8d10f92288e

SHA256
27b1aca1782c2ab4c9e7fcea0a1b3ace9d89d0a64440ebc3d774e0286f662ac1

SHA512
7a1c312cd7ba448c5bead888365fdc1b1ce09d9150fc6f5e946274dce0c3d21d90dce9eed9ae58b728964e2f811f5efa42181718d72c5de3869472a61dddfa7c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
11efef2bdccbe886700d72e37cefe96d

SHA1
9248eae80ec25d57ca722de93b999a41594649f2

SHA256
a1cac8ca11c4678fbdb2032ba9128241e213b8f2ae8bcb55024dbe2cfc9dbc6a

SHA512
7c92fe4c5d5c53edccfc0358c757859f0a45a9f3366e724914c10ba08bacb49078294a36f157784e83ffaed9594f863ddac255cb3d86b00da7680bdd03414b8b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
5a5d74927368090aa0fddf57f408c300

SHA1
6e7474ecd3c77bf32e436c604ec061f8204a68ea

SHA256
5fca43fe33b49fe33e302480f244e8c37944666a6653d00a341b8be148c74068

SHA512
374280956edc1fb8fa123e7c1f980c1148b1b503c9c06d3c2715c853f99f331993d36da3d6b2ccf9d4b8949ec84965fbc5617ba42133b18da5509393728b0778

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
ae9530dbf941b8f46ca4bc868b2eea60

SHA1
43eb69677aa0db797426353d395cb7da8a9a7631

SHA256
83037771fe608b91c4852a7041acfe21bdf0c83abddea9142b8369b08f18ff26

SHA512
290afb24e6ca4b17fa89d0ffdd9c32b5fa7366ceda3c70fc3c331fc8020a5ccc4cceeac0ee692d9c9959a72cf8cd11ded98d4ad09b20fa0eb785292cdadcf842

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a16416215fd37508e9cf79898569732f

SHA1
62f9af665f2aea49369ca56225472f023e99636b

SHA256
b01b8b1a452668692293029a1e26cd22220d2207bb56b8a19410850ec6ffaafd

SHA512
6e5a92f7233bd77f0696a20d26dc6bc51ff9d3789072880aaff56f88b29431283d04f059dbf552966e52585b9627557b231aae669c1e45a0207c9c73729befd1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b9d11ad8ae1ed3c0e1525cb12771868a

SHA1
0fa81892c16ccf79a348af18ece1a31559097d5a

SHA256
d70a0f1f7457b6a4a80232623d754255bd95c3b466a5c8371df72969536927e4

SHA512
321deb0e6571270a171f4c9477cc69163d50d5e95a0f93507c36ce53da15c7c822a9b9807453c44639d34fed20f88b9b485cfb030c254a5a4b33fb1a19d1d6dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9dcb517b984d6c4a071f8c0abd37e3ef

SHA1
7f6e4d0ed7a6a3895aae1c162cf60e2a58807a8e

SHA256
87c5da3d8d7b90aa6b23f92a3c05a2deb2927fd6f296e5c800fd54f9ccdcc11e

SHA512
961189643decd2ec8a799a7475cdbbbbcfeb53aa0931765f47d584bd18c7cec622e04300ea1dfb308120a3f8baf3c85379565fc8be4f8bb5534df9c4140c60e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
cbca543b0ff3af55e5a5640fd94e35da

SHA1
6b24ee3ca7bbb80dfa1e51a52eef2e0710439258

SHA256
7fe69381eff5a40e71000debd06ae87f06f9bd952e3d1cb0f124bf7d8bfcf386

SHA512
d3dc6387d553061533dbcaf5015b8945751279ca948039c421219be862bebbc365cfcc84c10b9a29521c557302956bc344e0d6cf1166512b068649a3689c937a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
88582e73712ea112dce8692e07c0ed3d

SHA1
67536a549a00959fb23d570a294fa3b38db6e1f3

SHA256
5786bba60c3b47b6e6e384cf77cb9acb9d76bd0d0e69f610c1898d33685dac49

SHA512
6d97b7ff00987bf92133b63c819cf9d0f1a83ff4de33eba7a9b61755661a57f316b3d5c485c593265d31e46bdd2834092ae970deafbb68dfeb9d3dd4c962176b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2aae165992cd9b122f6460217cfcfa33\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
154a7dd716f0e7b7fe35745e2e77ce69

SHA1
ef9f2bc84e28bfc3b1a7b59396901e556c3e87ec

SHA256
b7202f722ef8940656dc3346f6b008e84dd28246cb4e993dafe51a220fe0f659

SHA512
e97698f0cb83ef82cc1e9f6d50a5872c3b8bebda013a8a9792410492e4199f7ce3b334715906787e8fab8bdc35d0c6c2b6a0289be071ea70ad632669dce06cbd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a06de7e602db2cb6faef38c180fd6d64\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
e5f8eada727db4e443fa81b936a56a18

SHA1
05a20df94c55f9010af2cf4e0b29420147fd7c6b

SHA256
a3fa034acffc5fcb9dc2e598a834dfb01cf52fd30adebdc55d241bd17e16c6fb

SHA512
1fbeedbe344e97c8ef4877c9a3894a6ddcc878b8d5dc8a07520b7f05f65b809e11269850c4f254a3c0d3b901380e691dcc308c89d17534e162d7d0d605d9a000

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d3922a3a195d43c68ce270facf014488\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
7c997dc9d89f2c044e52fa0a396b2d28

SHA1
a4ae228f74b4298c277e79161ce4d361dbd38d1b

SHA256
031153315563c5eadbf6b09ed3f97a6f645afbb5b4afdf22ab7761feb5710a07

SHA512
30368e8f3c9d7feb4bcdb178174f79213a2be289cc158c566298f54a9b8111275cb8c38b8d1f316973de1c6c93c6a134e042af9c150c4fcff312de0a8647a594

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
68348df19cfa85032fcab5e86395f7cd

SHA1
99335c621743fc35ffcb0c073e0c1bfc5780a0f5

SHA256
1f78db6c5aa67aea0dba3d6f90dcbdd88e25ad247a82b7b2c35e412030e3b382

SHA512
59428b3f3d7de09bfa23eb2910afa84aa5cbbf8d194d42938e37da8a25498a813de510a727d427cf7d24527b211b74cce61d9f90e14dae07f2f15f96df61691a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
894ff55d6dd4d20e030e5dc0369702d1

SHA1
21f395390bc242fdf8a983ffc76f8174d76e976f

SHA256
447a4f601057a713b3a0af42f1a6db7b6c11bc054fa37fc35d7359b067489eca

SHA512
e727bf8d96669e35e5d30780ad7c2c5212e70c7932ff30ef345d207fb8249a5749e475ce335ca2fb94386fc2d30c7792c59d95e6f704f241f51b1b1e1a8b4da7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
778b61af62f8cea64e38af805f94bd1c

SHA1
7ef92a1c5e679ddc7f21216ed1fb72df00dd4582

SHA256
212d8b300a2e51f4aa3ee4856f32d8bc65ce353cc486968bfccc029421f3b543

SHA512
cc8fcd8dbeda8cd016a4e3227157c18107c4021ef6629f4035d73777fa4aa0c861cd58ccab625aefce9fc5e87ff261f75c3533d7329043615a013ba199274715

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
cc90679d8609e0cdd1f528a74d1cdcbc

SHA1
9655f19a10ad3534436fda77743ba8bbb94f4dcd

SHA256
f0828dd25331277688e3808f481925b6f950217ac60fe5c0e2cb17388f9b1a54

SHA512
887eba2f8786b4807cbd4652af86a98437f97ca6836831c88ba434278b0c7d2e0ebaac27289b9a491e0c90d690b52220a77a818155a16f0a72f1813419e9c3f3

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
883aa5efa0868096647d0b9519a0d488

SHA1
1a6bc2a9ea3fec072d2f95a5ae9482992a52497c

SHA256
1e85b1f21d2b11abdfbe979165ccb437fb8c71c194381e4d72fb8697f60a7e1d

SHA512
aa847ed2809ce0b0b8e89fd202698e90a4ab7e7d9a18de21e9087886ed6cc370b96de7d5ce5625ecc226c0eddc614ff4fc97ea60cef3cdfd5133cd2b83c0355b

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
cc43325f51f14d0126fe73211980699d

SHA1
9aa439b2eabe631f155b386fa3e1870c58e6d08c

SHA256
0ee3307c7127f63b228563a30874b8e9cd67ecc65e248ce88ccae8a28741e0e5

SHA512
deba01df1d42fb8677a9e1768d0b2f13c0cfa3447c8128722a1fe685ee387f0b4e1b66f9f9598f870348a0c14ee43166addc8cc9850e86298c047e605545faab

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
8ded66487612539e456924f4e57af2b9

SHA1
20824c14a117354a023966d40831d67c12743467

SHA256
d505aa45d6ce89395eac0f47566d1c5a4c0d2907c2feb4812d595244b84454a3

SHA512
ac6e8484a2ddbbd99bf75b46fb9d31875ae4007b80b9a1505fc7da22ebd04dbd99c2b024124e455099100e15f2e0e4edb0bffda34b968e4ae15084d494bbf160

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ab1d7afae14e0a8f469afdfdfd743315

SHA1
918b95a7af5e2fb6860da69dd6caf922dcfd05b3

SHA256
b3168780b9e2ad7d0ef0aac5e9cfa7d0ae952bf48b76123ab06257a4af16167e

SHA512
152b0b9df09f48081a63c270ffba0e6cf1d453f2f3472b459ed7279d8be0b2d89c0fc346c84254179c9a86844e021d622e0439344a8cfe9298535b2b4419b6f3

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
99ad0d8e038e15697d5c6a91175f3722

SHA1
43aad5ae7f64eb295b870e5742ba13b3a51fdb9b

SHA256
993e881d07cf95e7c638751ec4ac18cb046de2e6d6539624b4f219a6bff4b643

SHA512
f6151c573d6ff74f2ddd7ac8b491820c9393ae70dc6a7b0e486516d493c2f633096bfef0a00b11f311da393bb7aa62cf0d248ac0e5973a349c43e831380e0723

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c4d14523ee69763d69a4f3629806064f

SHA1
7f9deafcf420ef3a86d400275d0276173078556d

SHA256
9dc4d5f8c00893b87e0a08c4f4dbcfa2077d8261d108bd9613807dbec1025b4a

SHA512
3b869bf56fabeb91bea0a282a8b009fd3313828b7f43b2115e2aae8e289d9d9d850f1048ba77b8a59df281595720a3ad6363b0c8d7a581bc753a72283adfe9ed

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3afdf66ee50318abafcff7ed3e146e37

SHA1
36964aff05ac3b1210138222615d2a252d9eec41

SHA256
14e2e76ce31ab47dcbd246d8250ec1bfe0c745c2ea15c460485afbc817405acd

SHA512
503ed4fcc1101376de210f0020e660a2baf9cd2bac8746bde9ef4fa4bb0a087bbc288dda13e88341774c92f8d2dee4949a3322678905c81bb9b63e8017dff26d

Download Submit
memory/112-753-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/812-573-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/876-563-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/876-585-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/900-373-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/900-344-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1048-833-0x00000000005C0000-0x0000000000752000-memory.dmp

Filesize
1.6MB

Download
memory/1048-1416-0x00000000005C0000-0x0000000000752000-memory.dmp

Filesize
1.6MB

Download
memory/1048-1322-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1048-831-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1460-375-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1460-980-0x0000000001F80000-0x000000000211E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-937-0x0000000001D00000-0x0000000001D1E000-memory.dmp

Filesize
120KB

Download
memory/1460-938-0x0000000001D00000-0x0000000001D1A000-memory.dmp

Filesize
104KB

Download
memory/1460-918-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/1460-1017-0x0000000001D00000-0x0000000001D88000-memory.dmp

Filesize
544KB

Download
memory/1460-1026-0x0000000001D00000-0x0000000001D24000-memory.dmp

Filesize
144KB

Download
memory/1460-1028-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/1460-1029-0x0000000001D00000-0x0000000001D2A000-memory.dmp

Filesize
168KB

Download
memory/1460-1009-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/1460-940-0x0000000001D00000-0x0000000001D8C000-memory.dmp

Filesize
560KB

Download
memory/1460-1030-0x0000000001D00000-0x0000000001D66000-memory.dmp

Filesize
408KB

Download
memory/1460-143-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/1460-138-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/1460-137-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1460-941-0x0000000001D00000-0x0000000001DA4000-memory.dmp

Filesize
656KB

Download
memory/1460-1006-0x0000000001D00000-0x0000000001DEC000-memory.dmp

Filesize
944KB

Download
memory/1464-674-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1612-605-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1616-478-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1616-756-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1616-190-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1640-286-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1640-487-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1656-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1656-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1656-275-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1656-166-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1656-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1692-121-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1692-129-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1692-123-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1692-159-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1712-459-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1712-470-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1804-96-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1804-102-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1804-289-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1804-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1920-561-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1964-723-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1988-522-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1988-536-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2032-1600-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2032-858-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2076-169-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2076-160-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2076-167-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2076-394-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-549-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2136-376-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2136-411-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2228-763-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2228-784-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-106-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2232-149-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2232-112-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2256-659-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-732-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2308-818-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2308-707-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2308-1218-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2348-447-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2348-626-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2348-405-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2348-604-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2448-323-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2448-544-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2552-313-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2552-308-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2596-759-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2596-752-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2600-811-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2600-1122-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2644-1509-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2644-854-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2732-516-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2744-492-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2744-479-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2764-176-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2764-39-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2764-47-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2764-45-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2816-797-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2816-178-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2816-184-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2816-177-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2816-455-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2836-298-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2836-520-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2888-677-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2888-657-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2900-878-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2900-1628-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2960-627-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2964-789-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2964-781-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2980-628-0x0000000001AB0000-0x0000000001B6A000-memory.dmp

Filesize
744KB

Download
memory/2980-639-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download