53d561c9a1d8ad5d4a6a753b8dfc8e420fb718702f6cf890977dde843c43c854

Analysis

max time kernel
37s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Size

3.2MB
MD5

cee8dda804755a3c76f593e4f2d74f77
SHA1

697ab100830e412d22e5100c55e32f2457a341d8
SHA256

53d561c9a1d8ad5d4a6a753b8dfc8e420fb718702f6cf890977dde843c43c854
SHA512

21cc8a248c42183c4910a5e632af26122ac7c0819e3752c255570f23ab849ac97c7c779a1054ae0945c652141dd3eb3ece53f211d27ba85bf43fe4b4926b8a91
SSDEEP

49152:poDUthVbt1uoxmq3kAkNyG5XHDwSOA7aw5OHdSjtNXFxWOitmgI8dTdg8LNiXico:SfAQhxFotmYt7wRGpj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

pid	Process
480	Process not Found
2756	alg.exe
2664	aspnet_state.exe
2340	mscorsvw.exe
2336	mscorsvw.exe
2272	mscorsvw.exe
564	mscorsvw.exe
2512	ehRecvr.exe
2580	ehsched.exe
2880	elevation_service.exe
852	IEEtwCollector.exe
1924	GROOVE.EXE
1048	maintenanceservice.exe
2960	msdtc.exe
1780	msiexec.exe
1532	OSE.EXE
2716	perfhost.exe
2932	locator.exe
1452	snmptrap.exe
3124	vds.exe
3184	vssvc.exe
3260	wbengine.exe
3312	WmiApSrv.exe
3360	wmpnetwk.exe
3536	SearchIndexer.exe
3544	mscorsvw.exe
1116	mscorsvw.exe
3604	mscorsvw.exe
3896	mscorsvw.exe
4016	mscorsvw.exe
3228	mscorsvw.exe
3484	mscorsvw.exe
3936	mscorsvw.exe
3728	mscorsvw.exe
3916	mscorsvw.exe
3756	mscorsvw.exe
756	mscorsvw.exe
3716	mscorsvw.exe
2448	mscorsvw.exe
3100	mscorsvw.exe
4056	mscorsvw.exe
4036	mscorsvw.exe
3496	mscorsvw.exe
2448	mscorsvw.exe
3680	mscorsvw.exe
3332	mscorsvw.exe
3728	mscorsvw.exe
3256	mscorsvw.exe
3240	mscorsvw.exe
3456	mscorsvw.exe

Loads dropped DLL 14 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1780	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
732	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e717a97d00288fa.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{FD12A5CA-2AF7-4629-BA1C-8DD106514ACD}\chrome_installer.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5D8313D7-9F7A-4F77-86CE-622C9F0242A9}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2844	ehRec.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: 33	2072	EhTray.exe
Token: SeIncBasePriorityPrivilege	2072	EhTray.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeSecurityPrivilege	1780	msiexec.exe
Token: SeDebugPrivilege	2844	ehRec.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeBackupPrivilege	3260	wbengine.exe
Token: SeRestorePrivilege	3260	wbengine.exe
Token: SeSecurityPrivilege	3260	wbengine.exe
Token: 33	2072	EhTray.exe
Token: SeIncBasePriorityPrivilege	2072	EhTray.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	2272	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeManageVolumePrivilege	3536	SearchIndexer.exe
Token: 33	3360	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3360	wmpnetwk.exe
Token: 33	3536	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3536	SearchIndexer.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeDebugPrivilege	2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2476	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2072	EhTray.exe
2072	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2072	EhTray.exe
2072	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3816	SearchProtocolHost.exe
3816	SearchProtocolHost.exe
3816	SearchProtocolHost.exe
3816	SearchProtocolHost.exe
3816	SearchProtocolHost.exe
4060	SearchProtocolHost.exe
4060	SearchProtocolHost.exe
4060	SearchProtocolHost.exe
4060	SearchProtocolHost.exe
4060	SearchProtocolHost.exe
4060	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2476	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe	29
PID 1036 wrote to memory of 2476	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe	29
PID 1036 wrote to memory of 2476	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe	29
PID 1036 wrote to memory of 2240	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe	30
PID 1036 wrote to memory of 2240	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe	30
PID 1036 wrote to memory of 2240	1036	2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe	30
PID 2240 wrote to memory of 2748	2240	chrome.exe	31
PID 2240 wrote to memory of 2748	2240	chrome.exe	31
PID 2240 wrote to memory of 2748	2240	chrome.exe	31
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1620	2240	chrome.exe	36
PID 2240 wrote to memory of 1704	2240	chrome.exe	37
PID 2240 wrote to memory of 1704	2240	chrome.exe	37
PID 2240 wrote to memory of 1704	2240	chrome.exe	37
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38
PID 2240 wrote to memory of 1684	2240	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-08-23_cee8dda804755a3c76f593e4f2d74f77_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=87.0.4280.66 --initial-client-data=0x17c,0x184,0x188,0x174,0x18c,0x140226750,0x140226760,0x140226770
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef78f9758,0x7fef78f9768,0x7fef78f9778
    3⤵
    PID:2748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:2
    3⤵
    PID:1620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:1684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2072 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:1
    3⤵
    PID:2648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2092 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:1
    3⤵
    PID:2808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3200 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:2
    3⤵
    PID:2732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1376 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:3504
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140137688,0x140137698,0x1401376a8
      4⤵
      PID:3620
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:3668
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140137688,0x140137698,0x1401376a8
        5⤵
        
        PID:3692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4192 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:3080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:3908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4052 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:3272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:3256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1292,i,9683889615568305041,4640693970732183634,131072 /prefetch:8
    3⤵
    PID:1120

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2340

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1d4 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d0 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 240 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 270 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 24c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 280 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 24c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 250 -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 278 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f4 -NGENProcess 294 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 248 -NGENProcess 28c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 27c -NGENProcess 23c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:3616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:4036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 26c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:3244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:4092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1c0 -NGENProcess 1ec -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1ec -NGENProcess 258 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 290 -NGENProcess 26c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:3860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 28c -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a8 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 248 -NGENProcess 1c0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:3560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 2a8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 298 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 2ac -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:3304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 288 -NGENProcess 2b4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:3848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b4 -NGENProcess 264 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 288 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 288 -NGENProcess 1ec -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2c0 -NGENProcess 254 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 254 -NGENProcess 2b0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 24c -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d4 -NGENProcess 254 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 288 -NGENProcess 2bc -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2bc -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:3744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e0 -NGENProcess 254 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 254 -NGENProcess 288 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2e8 -NGENProcess 2d8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 254 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:3324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 254 -NGENProcess 2d4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:4072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 304 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2ec -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 310 -NGENProcess 2c4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 318 -NGENProcess 308 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2ec -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:3192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e8 -NGENProcess 320 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:3372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e4 -NGENProcess 31c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:3548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2d4 -NGENProcess 328 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:4076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:3664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 32c -NGENProcess 2e4 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 2cc -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:3524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 324 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 33c -NGENProcess 2cc -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2ec -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 340 -NGENProcess 33c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:3944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:3396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2d4 -NGENProcess 340 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 350 -NGENProcess 31c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2cc -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:4092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 2d4 -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 2d4 -NGENProcess 358 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 308 -NGENProcess 344 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 354 -NGENProcess 358 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 368 -NGENProcess 2d4 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 370 -NGENProcess 340 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 378 -NGENProcess 34c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 380 -NGENProcess 344 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 370 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 354 -NGENProcess 308 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 354 -NGENProcess 388 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 370 -NGENProcess 308 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 344 -NGENProcess 2d4 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 358 -NGENProcess 340 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 390 -NGENProcess 2d4 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 31c -NGENProcess 398 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 370 -NGENProcess 39c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:4012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 38c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:4028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 340 -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:3736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 39c -NGENProcess 388 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3a0 -NGENProcess 3ac -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3ac -NGENProcess 308 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b4 -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:3180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 39c -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3c0 -NGENProcess 370 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c4 -NGENProcess 3c8 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 31c -NGENProcess 3cc -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3b4 -NGENProcess 3b8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:3388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 38c -NGENProcess 3ac -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a8 -NGENProcess 3b8 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:3472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3d0 -NGENProcess 3b4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:3304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3ac -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e4 -NGENProcess 3b8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3ec -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3f0 -NGENProcess 3b8 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3fc -NGENProcess 3e4 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 31c -NGENProcess 404 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3b8 -NGENProcess 408 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:3816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 40c -NGENProcess 404 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 414 -NGENProcess 3e4 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3f0 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 41c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:3552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 3b8 -NGENProcess 3e4 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3e4 -NGENProcess 420 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 408 -NGENProcess 3e0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 3b8 -NGENProcess 428 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 42c -NGENProcess 3e0 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 434 -NGENProcess 420 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 3b8 -NGENProcess 43c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 43c -NGENProcess 404 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 434 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:3132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 444 -NGENProcess 434 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 40c -NGENProcess 3e0 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4a4 -NGENProcess 49c -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:4072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 4a4 -NGENProcess 498 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 3f4 -NGENProcess 4ac -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 494 -NGENProcess 498 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  PID:3672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 434 -NGENProcess 4b4 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:3336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 40c -NGENProcess 498 -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 4bc -NGENProcess 494 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 494 -NGENProcess 434 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 434 -NGENProcess 494 -Pipe 4c0 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 494 -NGENProcess 4a4 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 424 -NGENProcess 4c8 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 498 -NGENProcess 4a4 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4a4 -NGENProcess 4b4 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4d4 -NGENProcess 4cc -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4cc -NGENProcess 498 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:4008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4a4 -NGENProcess 4b0 -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:3672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4d4 -NGENProcess 4e8 -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 494 -NGENProcess 4b0 -Pipe 4ec -Comment "NGen Worker Process"
  2⤵
  PID:3552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 4f0 -NGENProcess 4b4 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:3860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4b4 -NGENProcess 4d4 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4fc -NGENProcess 4b0 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  PID:3408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 498 -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4f0 -NGENProcess 498 -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 508 -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  PID:3776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 4d4 -NGENProcess 510 -Pipe 4f0 -Comment "NGen Worker Process"
  2⤵
  PID:3104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4d4 -NGENProcess 50c -Pipe 508 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 510 -NGENProcess 50c -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 494 -NGENProcess 4d8 -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4fc -NGENProcess 498 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  PID:3764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 510 -NGENProcess 4c4 -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 498 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:3844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 51c -NGENProcess 494 -Pipe 518 -Comment "NGen Worker Process"
  2⤵
  PID:3132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 184 -NGENProcess 510 -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:3372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 498 -NGENProcess 51c -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 514 -NGENProcess 4d4 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 4fc -NGENProcess 51c -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:4092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 4c4 -NGENProcess 52c -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 520 -NGENProcess 51c -Pipe 524 -Comment "NGen Worker Process"
  2⤵
  PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 534 -NGENProcess 4fc -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 528 -NGENProcess 4d4 -Pipe 53c -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 520 -NGENProcess 540 -Pipe 534 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 540 -NGENProcess 498 -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  PID:3272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 538 -NGENProcess 544 -Pipe 520 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 548 -NGENProcess 498 -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 550 -NGENProcess 510 -Pipe 54c -Comment "NGen Worker Process"
  2⤵
  PID:3484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 534 -Pipe 528 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 55c -NGENProcess 498 -Pipe 558 -Comment "NGen Worker Process"
  2⤵
  PID:3764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 540 -NGENProcess 498 -Pipe 550 -Comment "NGen Worker Process"
  2⤵
  PID:3372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 548 -NGENProcess 544 -Pipe 564 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 534 -NGENProcess 498 -Pipe 560 -Comment "NGen Worker Process"
  2⤵
  PID:3796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 540 -NGENProcess 538 -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 4d4 -NGENProcess 56c -Pipe 544 -Comment "NGen Worker Process"
  2⤵
  PID:3104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 570 -NGENProcess 498 -Pipe 51c -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 574 -NGENProcess 510 -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:3924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 574 -NGENProcess 4d4 -Pipe 568 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 540 -NGENProcess 538 -Pipe 57c -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 570 -NGENProcess 580 -Pipe 548 -Comment "NGen Worker Process"
  2⤵
  PID:3996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3456

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2512

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:852

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2960

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2257386474-3982792636-3902186748-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2257386474-3982792636-3902186748-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
cb4f806f575253011b666d2684e35ed1

SHA1
e7019d24b26811f33882f0b6ec823c1a5caa191b

SHA256
062ba03760f83fa8c3b94596b0891484fb0b224acd72a25a77119d6e8c202583

SHA512
ddf47763e33d93602993dd1f3beee3d5f79c8216548fadbcc2d9220c86c7913c5b12cc9e89be62fcd2724f71e4d8360d759488b45776b69ea81a08a9219d3e5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
da5637e66e54d0d05835f42658b1dd37

SHA1
91009599f113c2fb5fc22f86e882c8b973cd1da9

SHA256
e565f9768c31a1b059e78d112ea58d000433a1785b86cdb6178b9befb06428d7

SHA512
ed558d348ebfd9eeeb13a4a9727aed30bd5a606f1513f82ccb9ca714fca95c09cbd9e09a384cee7701b1644ac5bda8a5f10bc4d794d716a38347b13e2555f542

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ea7d6a76f6b393fc136b3f31dafe401b

SHA1
01f5676b51efeed57fe6ed7c5bdb609785e04603

SHA256
7a0157d34d2f968406be9916948fe19dd364bb7fb1214c23fc3eb7d4d50b78fc

SHA512
e545990ae266b7689b966edc06f9084b3ce5bfcacc11bd6046d9ff597e16aecfb58438808270639a806a7869a45c7c4bc158edef84cf4efc3a8631a9b3ab2854

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
be2da089fca836ade81a717e3be25bdf

SHA1
66d0dda15ab738dfa8ed38b5c035591665c8ec2b

SHA256
e397e384234810155df3ef3181d50297c76f857df4ac16a17bf4cbd710311ee7

SHA512
3cf00a9b0b6ad009ca27e24d4635c66c00eb896667f68a0bf49436f3391846f5715754a96758cd01be5b2689a41050dba34a880a811a7fd5b657f4ffad0e09a4

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\49737145-85a7-43fd-a0bf-157e8d5c1f6e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
f8ab9100a286a1a9ab135b4c28e8bc65

SHA1
8b39f8661ff76ca3cdbe2bd5de06f2f7a9eb2bbf

SHA256
1225420d1536d9528eac19ebc779e6f33163095a64fbc37da5268b2e40341bf8

SHA512
8afae09e44df02349922394156621a4396f368a8a126ff731ed681abd5154980d0fcd7ca22108c78723db220174f05343aaa648592060673b05e5f189e332839

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4feaee37-11fe-4cfc-a737-f74356debb5d.tmp

Filesize
322KB

MD5
1677080f7c776a1cedc4927422ff151c

SHA1
4f4053f469ee2e29933c3cd15cf34e1f86951a2d

SHA256
1cd252cd065c3b4b9802633aefd51eb06632ba59c0597940ba35dcacbdd8aa8d

SHA512
30efb993c1b43bff04aee31a2a23b98799d92721db422b24f4e374f1c3e1af0a2edd3c3b3b69f21f7fc21dfc89d0ae01667e89f2f9956e5782717b4bb6f3de85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ef6a2a508bb9cd255eaf22da187554e8

SHA1
c2d5c218e301d10427e31b4fa6029e3c9d80c590

SHA256
f119f6f4f35802d8a037d2e5ba72449b547a19ee4c947427767fe476b7ee5cb6

SHA512
2710f2e0db5399a1d17e6178ca97bb1c2ff57a755d733dc09cdf7e380a2964bbdb4799540a9fac86bfa80bc5a2db4a33acf73e104ceb67367c768e8ffc4d6cd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e568aff7c8ef8e41e38263aa0e44ee59

SHA1
3af1a5163c97b88b489fae092638e171355a312c

SHA256
f1dc1bdf81b08c48364768f078c7f3820235f86119bc63c56e210ddc4bb8009d

SHA512
5ec5560df54ae85767fb3e379c637c4515f51e92e14ce1a9a0f514512e039ebda7d52fa6a5d915f1cf94bec33c019a732ad68d23acadb72467c4bcde4e7006fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bb1ea36f3f734110f84b148d3c8a1498

SHA1
3ac20d8579889d6aa2e2586841d3d8c79caada30

SHA256
a9f0023ca53acc0f93d68568dea3baedca214ef8e15398c7a6d21e789a6b2fbd

SHA512
9ec0e68b80a11e8318754d0e41d90e409d539d09f6a66ac7ca293e3055929428385cfc4cf4c560c37c65d8f25e5fd6d2e2cbff9b0dd2b1919f6c592b47a5dd84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
eba8480d07e4b229d135d1d0930b6442

SHA1
eea97148bc738f39ce9bb190600931200ec18944

SHA256
412951a5d26657fa2b5707948431ce36a6771eb20622003e4135ae14eab369dd

SHA512
d73dce63223247b030ca5598a1f287c97416a91324e1f9a89e92b99937ce09d7f0fd6eaa32cf15964333d57351f65c65f1b6dd2b12f6204587684cdec75846cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
162KB

MD5
d7639bd9254d2bd00966993f5c621285

SHA1
3a64aab6928ea8a8eb1599c5620db28d241ee185

SHA256
faed497c5d4c5797bd15bda840a299d6fabfcf96a089ca11fff2f281f56b54e1

SHA512
d8a875b4b41430309a58d505c5e94dbaab9fa24ad9fd70ddc98afc74e75041b71e2aa31b755c221f2a4df8f1a3636b071624b7ba9eb57fe201188eaec97ec5a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
349KB

MD5
34225fe11998b8ecbb7b86db10f6f648

SHA1
09d680ad77eae5b4c5b7968e2cc300d7ec0fec35

SHA256
b925d0480fcebb90d493c3fcf009b0de816c6e58e883f2b35c93070618867efe

SHA512
f385ae150968e83c065770d2b56a3287af04fd350bff0a688b6349c49c0bdbe630da743c223c6f6edb739519546cd57d36654b2a81c447695b9fce7a72cbf9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
5KB

MD5
4ec0aa2fe733531389546a9583513e02

SHA1
c39fd8f0cd18d627467f55f380bfca0a8b97a0fc

SHA256
20468fda0541b09c295e383ecc2a0df367564010195d69639de2c3e7ac1e7250

SHA512
567c5313f2d860c69b4591abb9ff321279256b3108fd2fa58d21a6e2bbfb4fcd4cb5f97317da01b53d020c2046fbbfab4afc05ee36dffacf03be71a77069654d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
83bb4c971ad344663680fce31a46113c

SHA1
e241cfbf8d1d28c6dc18ee36686abd3e392c4f55

SHA256
b088bd54f72cae3363dabd558e868e1151b441d96ceacf625c45242d5ffdceaa

SHA512
9a9de2679f2b6c5e73943e9c6e244964b8c6f42269448c23fea6040292e0fddc5b197a9dcae4f211f0ef55a26d59219c7998e843522b62b854fb7e0504f41204

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2240_1697621553\a39b0306-65fd-4a5d-ba8a-083a1893e983.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\2e717a97d00288fa.bin

Filesize
12KB

MD5
23e541886655649be106abc660989f6c

SHA1
efa60b05b192fe438535d2d498dfdd2e93833d3a

SHA256
d1b0808a6151ff66421a7411f2c5251154f08de7562dc22dd554622f28d51108

SHA512
d3987322f5057e5335f5e5e5895590c1bc80bd677e19499299600caedb70a2ed05c74e0045636d47ce238cd0ac2db364b0c5e21cafdca30ed52d0733fa66cf2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
af1cd16b26ce3f9b46439ec9cb8db197

SHA1
f0d69cad0812166e3c724a0a7952bd2b13671108

SHA256
6bdb46dfc39d6b4ca0348a21f683d88910e8f08c0a46457f623970e0a77fe849

SHA512
c5e432867831a88c3f2a7f66b7c33eb4e8a477ca0f36842dbc9f8c37b64924d0257d0f67ab8b6d6f7512bde8739a7fd2d9d7e4307b2c4abcd0c8296ed512767a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
33cf682ab1780f9807f9443904b8db26

SHA1
2b975ff516f894bed4346dd3444783c9bbb3632d

SHA256
fec48d8038d98575c4d0a7c432cb8172fbe76e4f9750da3ec538cf2faccd2f4e

SHA512
2ce81153f5bf81e2f8de3d04f49fda479dff5e1155c44fb8ab6543107e1e85ae85f4abbb3f2a664c0a633e1ee052cd97283b46df8ae7c76fd7cd0fc90ced91e9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
88a2f902390daab6d81536e763fcf287

SHA1
ac898ceb7142c70123449af52518a4a5886ac971

SHA256
ca1f3f8a7334e4f9fcb7a3261967095a4585bd01029a5b521edc836fdbff55e6

SHA512
eb7c88ad8abddbd1f54fa9dc242f81c49ac123f36f508b2e720be42fa396a7a30d81d30fffff9f4b0c3da0e032eb74b65e05762b4a0257756d8f27a9b481216e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d2505add1a6c3c863ba3da24d11cfdbd

SHA1
31efbcfc6757567deedd6740a83bebbf00a6df7c

SHA256
5a7d8decb9d981f41eb1ecb3c4745ba1df1a292e74d9c909ae804ef178811c9e

SHA512
7ebb856327bbca59b8fac95604ac9be3c9ca30cd3117075af2b6afa8ddc8540fb5b8798a0bc4d371470d3d0c9633592c56d1a33a72d3c6583ea463bfb76dff31

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
2862bb4b170c11f807eeeb844f564733

SHA1
d641337989c84d93f532abfd238c591e5192010e

SHA256
8a2de2cc2a92972bc00d2ca0198b95bbbba732e684dd0b151928093aa443e5bd

SHA512
6aa729d7049289d658e74b201f4d11c7458b9927f146db1d062b2977c6c1cc8f5e3c355948534decad100ab1ceb9cc7bdb5e11103dbe439a0c16dcb34d247e9c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3266947e72387270630815ba618b5b73

SHA1
15150cd5534e7d0075fc78a891b7ba81982d8cb1

SHA256
b91f657f01a43454451cf598fe45e261cd2895bdf0476aedde0b2676f34b114a

SHA512
c0a391ce340b671eca9a3ebd6ce310acea2b267023f97a30981ff439548525dc7e57616de724f106718b60c4c7c89397a1b49f00ad231a2c9950b07314da7f31

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
911e2cbb1fc88f57ad850ae3da993c04

SHA1
e65dea7069543285d736b1b71e24dfe80dff891e

SHA256
2ec0f252f7951a3eb4e3fe21c30b0a1c756ba398f8205b5f9d69f4b209b01442

SHA512
c4d6e404346b77a611ff3ad8f9dc0a829c2d64b73f1ed291035b5e74344b29d63ce8c5acb8b6ebd70571409bedbbd1d5630ef5b08792e35697e76cdb583b50d2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
d56194a29f70951642898c6c7d60d28d

SHA1
32bd4cc7bd877536717ce04664b5831f1399568e

SHA256
51745433f528cca499238492638974a52e74a9c36a20f6c77844f1848b6abb23

SHA512
7e87eb3f5ef1ce1042c7c504d12bc9083f121d1e5f94902c2440cfb261eddc8dd99afb8c62de68fe385c0b97cd132dff6249233a443807d864b02655027ac7cd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f546d23c01c86e3ec4230a2798a37b91

SHA1
d67ca85e260a6494b94f4a42358f45883f62db6f

SHA256
68b2ff6362a0e71b0dc92f3c046ce4b2957d0a5d74f6e3207a3faa5b2c6be5d1

SHA512
eaec0af8b2f8424f417ec305e6bf0669d52ced787b9657e502d35d26a1b203ce9b9e2608090656c9d58751fd09460cb65932eb1bb3d6d7026e7c32ff4c6cfba6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5d17f758755833aaf56ac6184a3fe303

SHA1
7e231ed803257c8cb1e7b847ce36bdf65d302470

SHA256
79b8f055ed657a657ff52aafc1e47f37e3ce92a8ffdb0cad574e827ff0752116

SHA512
e6df86e604b4fb59beae34fc040f9b2ed12c31caf0fcec478614d5dccb708f2c44b54f0a4addedc1c54d1a353165609a3fec62bf965d89e7a90a99642806e0e9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5c82177b38d2ab7af92ce04ee6570f2e

SHA1
fdb1a1da87d683b0947d9eccd125c78862894050

SHA256
dd77b9b8579b85bc07afa9fc8558e81bc8677c7cdb0950c7d203fc072266adc3

SHA512
276f6eb6b015732a6a8ad530145deaffc63dce3be32f3c43f095618b863efc423b8533225feecf9151f28487d307d864cff8c3f9244f3a62391e5385eaa02a6d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
3ae3fc072016c4292b3158d51421bdb0

SHA1
95df52cfb236b2d8f2e3f7c291b9e78f4f52011d

SHA256
a9e6234b3258cfdaa27d6c74890486d0b648a0e1f0c03f434df06cdacf439ed9

SHA512
5f2a5b63d71555154cf58e9f648b2dfbb949324b9f0601af8c74a64cb4f5b371ab4d79ca02ed5e38d5b6ae84dc8cc6fcb6dba316c5e94ce114fdd9621bc7a3ec

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0db64dd44b8a7056da3b4732c6481b34

SHA1
c29bdc49844f99a6be44fb38783432d7c103bae5

SHA256
a48a86ad55fc746d85c1be0f36bf1c11be7efb6ede705ed3b92b487022e245ad

SHA512
866a9b31320298f0c20f1e6581acab0465111cf4a378390284be0b4a4aaa71acdfc80bca9a9be7de231e0c74c0035e9f4a2e9496ccd1789755b834bdc8221cc6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a65e38d4dcf9b246492fc3ab3b04f11a

SHA1
4fb93fa74628a6a15f93414c3c8693efd2c983f3

SHA256
515b3cab2ce7e12f45621d301709853f9a80b616af7e345dc4f477e5ecc8ada1

SHA512
aaaa3fdb44d88c551366071ba1cf5addd372b709e33e20a78bf1d306efda1a30553018a3e3e266cb9b799028c8973a0cea1e57100a2184d4bcc51c79efb43a01

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
f050c6258eccbdda43da8304472a053f

SHA1
9138b6072dbc918468df5b6c03ec0c2969fc607a

SHA256
d4ae23da0a5e32918ebf850825894339a8e7f47a7eb49a3214e14f87ab105c1d

SHA512
cb56ec23ba74af4643912abbceb4a746e78750e54e425cd67131093e750f0e749c23f3466784fd9ff1a0c274c45c278c624157e6c31aa6167dac90ae2fa6e890

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f79ad660d328120fdc926a57b617cd4e

SHA1
1c241c4f0f2accffa188c903c6a497c8ca8c54f5

SHA256
33e862ee62dd2877ca79eb593f08df0fee71ee543137dc6a623300a0d06eaec7

SHA512
9d164c32e03eaf2ad801d5768e9e811b48995e1b5e18bddf900970d4f3491854d3923bb0b04a8db508a95ee5dddca2aa4000f97c163d9266401e8f02cdbeb9ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
e05134a69281539b617c851d5f5fd2fe

SHA1
80d86b36b136075ee6eb0b0d1507ad2a130d5425

SHA256
16044499d04c17fdc577990a6e5a4c0975a7a3df484d6dc3ba74da3a010f06f2

SHA512
905cf0ccfc084b86b3a3cf1b50c1f7ba6ea8013bc0f0cd18716db64f9a76721481263f8e38c3ae71c3f5b17fa725b21f3542199dc550948462fb8e9f5703742e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
c725132bbc81e5057ea5ab92b68a364f

SHA1
99c1b4fb9b8caa1799930d53856b6c7594c95f79

SHA256
344d1b772dfa646718711a7b7e901fc9ff34a045f117326e4729dc1cac5816de

SHA512
5ab98b41805c126cbe6c8570082cbb00932075783fcaad1b81742655d034439c3f1762415a87f7eff11d71882fe4bb8ac6736dc9dc51e6a4bd6f84ae71df8f76

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
158KB

MD5
a763a9348ab4ee3bd593bb17d854e51b

SHA1
4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9

SHA256
b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b

SHA512
e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5a6bb99c54645650244e79ef76313ab6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
8b99a7ffcd64eed10d24dccd6f38ee5e

SHA1
494ef17a2f075a291b50cc3997cf84165fc2c933

SHA256
03f7c19ddc49d67011404687be2d810be24175ca1586d73c469f81e4819ed901

SHA512
9031683e82ce72f7135cb760cfad114467794049b58b20d4c40996b16ae5322b1e478da2c39a5d5edefa6c47f46d2aaaa3bee9e4afdf7e6be6fe68d82c73af86

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
157KB

MD5
7bdf8e0c9aa04b71a52dd964005f4363

SHA1
a87e809146d3c70093a189c37f0a96b8bd0ce525

SHA256
0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b

SHA512
4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\825f9b3c9be3fec182b65219736c6e37\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
e06a1366a8a6944042b1b9ea19e86a42

SHA1
16b31d1d300c712df2fab9d7ad57bc5b3d5518a1

SHA256
d03b5eb70d7750fbb170a003ab97aaa581cb378c56c5ab40d943eba7b4475404

SHA512
58690d5f3bd044e1262ea165fe754d3b3b00ed367ea5f2e088248f6e3be0b779e2ac63205461ab0b9e55869a6b61789e4253d9076fd43881fe68f7be77f85569

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
607KB

MD5
e9ca062e4958cc25400c804029a5bf62

SHA1
1ed4374d0d0f568936fdebe17d9110481d6b3344

SHA256
a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0

SHA512
43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
141KB

MD5
58cacef7cbc000bb5ddeedc08a598f36

SHA1
f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7

SHA256
124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270

SHA512
9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ed38641a2203e87858c8f736cc615209\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
2635e2857dcda0910157b0aaf86b91d3

SHA1
d6a44f795c7ffe464dd9c1e1e90dcea421bf343f

SHA256
ea486f0c766dfef228ef1753ce59bc0447392b87f5655458593d6b365a949da8

SHA512
0a6429f4c27df2fbaf0870a401582cf8109eac841307d2869c543c6fedf88f3da7bf7f62dcd765b638a1b12269a43f9a34b7db548222ec30eb13dc7f79f6b3b5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
a1c625db2f7431c193bee80beefb6079

SHA1
b6aa7288dece7329ffb1cbdbd943f34cd4b0b44f

SHA256
939e75759899bce24626190026982e29f911db8d615f4c683e368edaebcda23e

SHA512
298611f496cecfe2bf6bd9996f7d0ad68d27c6731d38028e6115238ae383486db32b5a4c57865fd4b0ed800252b7b4ab0af748c8664e0eaa5ccb1e495c726c87

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
449e39bc9539bd1cb575b115e8c0fadd

SHA1
531805c1b8149ec01144a1cdedd8668d13ec7509

SHA256
a398709c1ad7980b11534d732724eae271bc98337c691afa031b47ce833348df

SHA512
3c90001f0402605c91bf3c7a189151ef23a1627d44b1c071a63ae3e87b8a7e71d92e0a3f42e046930e39c68c4220e94ede4f3a5ba24c2ea3bc9e5e9fbd6a5c94

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
002e66a7999b5b55234b6f08a2228b22

SHA1
f15899568d282c47a67d2def19209f00ff3912b4

SHA256
f5aff2b48372a3365bb70b1af8c317ba481c9cd69d9ed693f91c36dd5e2813de

SHA512
38d78246c337c5ca52b09553b2a5096c3de5a7be6e868e8d094b8a786be2fa1f76e79655aeca45ff84c92249aa6c1b130461c70fa422d563ca16b3aaaf3ae1b5

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
f9eb74706d13f3392802589cb80116d9

SHA1
8b42e96f040fca9a779eef480e5a3975629e3792

SHA256
e2939495cb889fbe3e01e6957086bcbd69bb6c711edc34fea4d0ee04e4aa44bc

SHA512
68c6fd9c5b3e4fdab2096cdbe917648fbf3e3071536d907314fdf2eb6f53bc86e41dfc94f457411224171e8f3c20259aefbfa4d9516dc47c50d4464e784c6a9e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
57e553911da6e2d38c063c142a476063

SHA1
927151083e7d946c809aabb42ebdb506d59d831d

SHA256
ca76fd2d8e2b90ee12af4cb9185fcdf20177a739a1b4e896160221c2afb0e901

SHA512
9851b0cb3baed72feb1b111116e5c5c951cc8b007bd73a588fdce54733bea63e54a4cee0e388ac06fecfc0da6f657c5671ea9200366d5c26eef8886cd4e7bc7e

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
d710ac774507c7cb04e93fef90d5f83e

SHA1
d05199eec0ccc4ca13248517a72d5cdab37f511f

SHA256
b70bc676dc994fd7a0433c22a9ee6a4c0d334d030dbe7c1f1bdf7ba9af625b31

SHA512
9f7570bc65d9a8ce34ebbc5d8aafd71b2a1ff6bfa2a695adb74e27da608911d6d758dc42938beab3415356c7f40c833b8fe1e46d9a881429384348be95743e8d

Download Submit
memory/564-134-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/564-140-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/564-142-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/852-274-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/852-202-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/852-1064-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1036-6-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1036-27-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1036-10-0x0000000140000000-0x000000014033E000-memory.dmp

Filesize
3.2MB

Download
memory/1036-0-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1036-26-0x0000000140000000-0x000000014033E000-memory.dmp

Filesize
3.2MB

Download
memory/1036-11-0x0000000002710000-0x0000000002A4E000-memory.dmp

Filesize
3.2MB

Download
memory/1048-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1048-233-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1116-616-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1116-597-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1452-268-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/1452-613-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/1532-316-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1532-255-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1780-298-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1780-237-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1780-239-0x0000000000590000-0x0000000000799000-memory.dmp

Filesize
2.0MB

Download
memory/1924-275-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1924-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2272-1186-0x0000000001290000-0x0000000001334000-memory.dmp

Filesize
656KB

Download
memory/2272-1191-0x0000000001290000-0x00000000012B4000-memory.dmp

Filesize
144KB

Download
memory/2272-1185-0x0000000001290000-0x000000000131C000-memory.dmp

Filesize
560KB

Download
memory/2272-1187-0x00000000023D0000-0x000000000256E000-memory.dmp

Filesize
1.6MB

Download
memory/2272-1189-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/2272-1184-0x0000000001290000-0x00000000012AA000-memory.dmp

Filesize
104KB

Download
memory/2272-117-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2272-124-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2272-119-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2272-1183-0x0000000001290000-0x00000000012AE000-memory.dmp

Filesize
120KB

Download
memory/2272-1182-0x0000000001290000-0x000000000129A000-memory.dmp

Filesize
40KB

Download
memory/2272-1190-0x0000000001290000-0x0000000001318000-memory.dmp

Filesize
544KB

Download
memory/2272-1188-0x0000000001290000-0x000000000137C000-memory.dmp

Filesize
944KB

Download
memory/2272-1192-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download
memory/2272-1193-0x0000000001290000-0x00000000012BA000-memory.dmp

Filesize
168KB

Download
memory/2272-1194-0x0000000001290000-0x00000000012F6000-memory.dmp

Filesize
408KB

Download
memory/2272-245-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2336-108-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2340-143-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2340-54-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2476-21-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2476-185-0x0000000140000000-0x000000014033E000-memory.dmp

Filesize
3.2MB

Download
memory/2476-20-0x0000000140000000-0x000000014033E000-memory.dmp

Filesize
3.2MB

Download
memory/2512-182-0x0000000001B60000-0x0000000001B70000-memory.dmp

Filesize
64KB

Download
memory/2512-152-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2512-155-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2512-160-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2512-1107-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2512-260-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2512-181-0x0000000001B50000-0x0000000001B60000-memory.dmp

Filesize
64KB

Download
memory/2580-173-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2580-265-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2580-1056-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2580-179-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2580-186-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2664-39-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2664-48-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2664-40-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2664-212-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2716-259-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2756-36-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2756-201-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2880-270-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2880-190-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2880-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2932-261-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2932-595-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2960-228-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2960-284-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3100-950-0x0000000001AF0000-0x0000000001BAA000-memory.dmp

Filesize
744KB

Download
memory/3124-271-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/3124-637-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/3184-656-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3184-276-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3228-671-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3228-684-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3260-669-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3260-285-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3312-670-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/3312-297-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/3360-732-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3360-299-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3536-847-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3536-319-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3544-511-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3544-601-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3604-614-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3604-641-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3896-658-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3896-638-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4016-657-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4016-674-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download