a9d2fda4752595656e2f9fd5a1efad42da25231da42992158b24d880ff95810f

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0983b66697fe55aed5dcaba8646a590N.exe
Size

1.2MB
MD5

b0983b66697fe55aed5dcaba8646a590
SHA1

9907e2e02b9779249123a6f147b2ada79f9b9163
SHA256

a9d2fda4752595656e2f9fd5a1efad42da25231da42992158b24d880ff95810f
SHA512

84201d8413bcf052a8bf406664a5359ddf2ecf858a43a41aac8b83228bf6116f5d864502413c4ea0cd632c0b33247c3b0ba3a1b935028a234521408665a02d11
SSDEEP

12288:Icz2DWUeMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:zz2DWoSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2892	alg.exe
2712	aspnet_state.exe
2660	mscorsvw.exe
2556	mscorsvw.exe
2856	mscorsvw.exe
828	mscorsvw.exe
960	ehRecvr.exe
2084	ehsched.exe
1216	elevation_service.exe
880	IEEtwCollector.exe
1468	GROOVE.EXE
2240	maintenanceservice.exe
2372	OSE.EXE
3012	mscorsvw.exe
2168	mscorsvw.exe
2096	mscorsvw.exe
2236	mscorsvw.exe
3056	mscorsvw.exe
2592	mscorsvw.exe
2740	mscorsvw.exe
524	mscorsvw.exe
1620	mscorsvw.exe
2276	mscorsvw.exe
620	mscorsvw.exe
1664	mscorsvw.exe
2896	mscorsvw.exe
1560	mscorsvw.exe
3048	mscorsvw.exe
648	mscorsvw.exe
1256	mscorsvw.exe
2800	mscorsvw.exe
1496	mscorsvw.exe
2880	mscorsvw.exe
636	mscorsvw.exe
1636	mscorsvw.exe
1296	mscorsvw.exe
2096	mscorsvw.exe
2172	mscorsvw.exe
2180	msdtc.exe
2260	msiexec.exe
860	perfhost.exe
2276	locator.exe
2240	snmptrap.exe
2976	vds.exe
2992	vssvc.exe
1588	wbengine.exe
2964	WmiApSrv.exe
1340	wmpnetwk.exe
2804	SearchIndexer.exe
1400	mscorsvw.exe
1240	mscorsvw.exe
2816	mscorsvw.exe
2468	mscorsvw.exe
2780	mscorsvw.exe
2656	mscorsvw.exe
2512	mscorsvw.exe
1084	mscorsvw.exe
2132	mscorsvw.exe
920	mscorsvw.exe
1604	mscorsvw.exe
2724	mscorsvw.exe
2392	mscorsvw.exe
1956	mscorsvw.exe

Loads dropped DLL 42 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2260	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
752	Process not Found
2780	mscorsvw.exe
2780	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
2132	mscorsvw.exe
2132	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
2012	mscorsvw.exe
2012	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
2632	mscorsvw.exe
2632	mscorsvw.exe
1728	mscorsvw.exe
1728	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
1504	mscorsvw.exe
1504	mscorsvw.exe
1104	mscorsvw.exe
1104	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a5f194a5d264f17b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	b0983b66697fe55aed5dcaba8646a590N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE032.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDAE4.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDDA2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE6F5.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	b0983b66697fe55aed5dcaba8646a590N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD901.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE16A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE965.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCE57.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6B0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{8CDDBBFE-7E27-4421-B208-7A8C6B176DB8}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{8CDDBBFE-7E27-4421-B208-7A8C6B176DB8}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0258377bbf5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060358976bbf5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000060820e77bbf5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000608c0c7ebbf5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2156	ehRec.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe
2712	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	b0983b66697fe55aed5dcaba8646a590N.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: 33	1464	EhTray.exe
Token: SeIncBasePriorityPrivilege	1464	EhTray.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeDebugPrivilege	2156	ehRec.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: 33	1464	EhTray.exe
Token: SeIncBasePriorityPrivilege	1464	EhTray.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeDebugPrivilege	2892	alg.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2712	aspnet_state.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeSecurityPrivilege	2260	msiexec.exe
Token: SeBackupPrivilege	2992	vssvc.exe
Token: SeRestorePrivilege	2992	vssvc.exe
Token: SeAuditPrivilege	2992	vssvc.exe
Token: SeBackupPrivilege	1588	wbengine.exe
Token: SeRestorePrivilege	1588	wbengine.exe
Token: SeSecurityPrivilege	1588	wbengine.exe
Token: 33	1340	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1340	wmpnetwk.exe
Token: SeManageVolumePrivilege	2804	SearchIndexer.exe
Token: 33	2804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2804	SearchIndexer.exe
Token: SeDebugPrivilege	2712	aspnet_state.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe
Token: SeShutdownPrivilege	2856	mscorsvw.exe
Token: SeShutdownPrivilege	828	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1464	EhTray.exe
1464	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1464	EhTray.exe
1464	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2408	SearchProtocolHost.exe
2408	SearchProtocolHost.exe
2408	SearchProtocolHost.exe
2408	SearchProtocolHost.exe
2408	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe
3040	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 3012	2856	mscorsvw.exe	45
PID 2856 wrote to memory of 3012	2856	mscorsvw.exe	45
PID 2856 wrote to memory of 3012	2856	mscorsvw.exe	45
PID 2856 wrote to memory of 3012	2856	mscorsvw.exe	45
PID 2856 wrote to memory of 2168	2856	mscorsvw.exe	46
PID 2856 wrote to memory of 2168	2856	mscorsvw.exe	46
PID 2856 wrote to memory of 2168	2856	mscorsvw.exe	46
PID 2856 wrote to memory of 2168	2856	mscorsvw.exe	46
PID 2856 wrote to memory of 2096	2856	mscorsvw.exe	68
PID 2856 wrote to memory of 2096	2856	mscorsvw.exe	68
PID 2856 wrote to memory of 2096	2856	mscorsvw.exe	68
PID 2856 wrote to memory of 2096	2856	mscorsvw.exe	68
PID 2856 wrote to memory of 2236	2856	mscorsvw.exe	48
PID 2856 wrote to memory of 2236	2856	mscorsvw.exe	48
PID 2856 wrote to memory of 2236	2856	mscorsvw.exe	48
PID 2856 wrote to memory of 2236	2856	mscorsvw.exe	48
PID 2856 wrote to memory of 3056	2856	mscorsvw.exe	49
PID 2856 wrote to memory of 3056	2856	mscorsvw.exe	49
PID 2856 wrote to memory of 3056	2856	mscorsvw.exe	49
PID 2856 wrote to memory of 3056	2856	mscorsvw.exe	49
PID 2856 wrote to memory of 2592	2856	mscorsvw.exe	50
PID 2856 wrote to memory of 2592	2856	mscorsvw.exe	50
PID 2856 wrote to memory of 2592	2856	mscorsvw.exe	50
PID 2856 wrote to memory of 2592	2856	mscorsvw.exe	50
PID 2856 wrote to memory of 2740	2856	mscorsvw.exe	51
PID 2856 wrote to memory of 2740	2856	mscorsvw.exe	51
PID 2856 wrote to memory of 2740	2856	mscorsvw.exe	51
PID 2856 wrote to memory of 2740	2856	mscorsvw.exe	51
PID 2856 wrote to memory of 524	2856	mscorsvw.exe	52
PID 2856 wrote to memory of 524	2856	mscorsvw.exe	52
PID 2856 wrote to memory of 524	2856	mscorsvw.exe	52
PID 2856 wrote to memory of 524	2856	mscorsvw.exe	52
PID 2856 wrote to memory of 1620	2856	mscorsvw.exe	53
PID 2856 wrote to memory of 1620	2856	mscorsvw.exe	53
PID 2856 wrote to memory of 1620	2856	mscorsvw.exe	53
PID 2856 wrote to memory of 1620	2856	mscorsvw.exe	53
PID 2856 wrote to memory of 2276	2856	mscorsvw.exe	54
PID 2856 wrote to memory of 2276	2856	mscorsvw.exe	54
PID 2856 wrote to memory of 2276	2856	mscorsvw.exe	54
PID 2856 wrote to memory of 2276	2856	mscorsvw.exe	54
PID 2856 wrote to memory of 620	2856	mscorsvw.exe	55
PID 2856 wrote to memory of 620	2856	mscorsvw.exe	55
PID 2856 wrote to memory of 620	2856	mscorsvw.exe	55
PID 2856 wrote to memory of 620	2856	mscorsvw.exe	55
PID 2856 wrote to memory of 1664	2856	mscorsvw.exe	56
PID 2856 wrote to memory of 1664	2856	mscorsvw.exe	56
PID 2856 wrote to memory of 1664	2856	mscorsvw.exe	56
PID 2856 wrote to memory of 1664	2856	mscorsvw.exe	56
PID 2856 wrote to memory of 2896	2856	mscorsvw.exe	57
PID 2856 wrote to memory of 2896	2856	mscorsvw.exe	57
PID 2856 wrote to memory of 2896	2856	mscorsvw.exe	57
PID 2856 wrote to memory of 2896	2856	mscorsvw.exe	57
PID 2856 wrote to memory of 1560	2856	mscorsvw.exe	58
PID 2856 wrote to memory of 1560	2856	mscorsvw.exe	58
PID 2856 wrote to memory of 1560	2856	mscorsvw.exe	58
PID 2856 wrote to memory of 1560	2856	mscorsvw.exe	58
PID 2856 wrote to memory of 3048	2856	mscorsvw.exe	59
PID 2856 wrote to memory of 3048	2856	mscorsvw.exe	59
PID 2856 wrote to memory of 3048	2856	mscorsvw.exe	59
PID 2856 wrote to memory of 3048	2856	mscorsvw.exe	59
PID 2856 wrote to memory of 648	2856	mscorsvw.exe	60
PID 2856 wrote to memory of 648	2856	mscorsvw.exe	60
PID 2856 wrote to memory of 648	2856	mscorsvw.exe	60
PID 2856 wrote to memory of 648	2856	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b0983b66697fe55aed5dcaba8646a590N.exe
"C:\Users\Admin\AppData\Local\Temp\b0983b66697fe55aed5dcaba8646a590N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 258 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 29c -NGENProcess 1f0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 220 -NGENProcess 258 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 254 -NGENProcess 294 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 23c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 224 -NGENProcess 294 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 258 -NGENProcess 294 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2ac -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1c4 -NGENProcess 224 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1c4 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 250 -NGENProcess 2a0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a0 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1f0 -NGENProcess 26c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 250 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 29c -NGENProcess 2a4 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 288 -NGENProcess 250 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 29c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 288 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b0 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c4 -NGENProcess 224 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 224 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2cc -NGENProcess 250 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 250 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b4 -NGENProcess 2e8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e8 -NGENProcess 2cc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2b4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 2b4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:960

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:880

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:860

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2408
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
70df414dceb67f4b9cf4e4fe8c1659c8

SHA1
6734552a1488e1e48f786b6afdd68187fe96aa06

SHA256
74df98575a1c873d7b46e091c7307d077ec6ca4dbf6c69a755ce33cf38f5dc8f

SHA512
d906df91cf744e1f994411e9e9004ddbb39830d1d4183d53135356a4d51e3dfcfeedb5ed760308016a6f2b536e727e4e5df16e12f41c09bcfb1776158b3d6744

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
09e4a3ca30f00c07c7d3e6ecd1049cf1

SHA1
da3cb48969aebdd3a40e88c6e19aac8b8ae3ecaf

SHA256
139cda8bd87774ec26d05707f78cba48415dd1a0665c790cd9ab658ec3ec94e9

SHA512
7ff1830479780e6cefd0a2548ce8f0888742e57627a99938dce0424775ac999a12c59ac92383853052791adf11cb6346fd0ff36e691a7622d22f4779ba494fbf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b3f5cda8de12aa6d2291fd289e851e32

SHA1
1ca4ec6c84e4ab725c7be30d78053c373843aef3

SHA256
4c4b88f84d507dc59a48cbf749adf738f48dff30622b084122d80eef1c627b8d

SHA512
b288f5d7273a57b6ded92262dd125153248b6c77c78c31d68526b64d88a72534c6898bdaff8b011cec0b7e5e970ef797f3b644f9691e87c285073405348c2d41

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c35a66e3a1222a58c0346e977f7ddb07

SHA1
9843e6268e7a3769ce4f4552cb6193f4ad8e8182

SHA256
34ec4886b3fa7218282dd206121150b2f618005d30f4534cf8191a1ba71188c6

SHA512
aef44eae455d95e7cb9d64f82a96d30818c688ed682635c3a40b2c7e951b88aae84eb28f62854eb8967eb5a9e1ec4c782f993f2d53f81a28a3b4f4b803815cb6

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e44282ab660d8d91fdb15c24eebc2c40

SHA1
c63e18daf515b570ca83099c7337e68227a757b8

SHA256
7012fcb34e06fc4097eb1ac3a1889415b3871612a4f6ba208528ec1a256de471

SHA512
c7daf745e57aaea2e79c3ea2ccb4b9010ea1e5f40ce4ad71c7f16589622421e577b89476067d2772cb6f22a026dd3fa20fddfc22792b902ed9927cabab8124a3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
14e9060fa8b1493e48baff93a19bacca

SHA1
125012213736aabdcf9ebed85150801e108b1045

SHA256
ac4d672df87b18c4f190e58b971e81beff82d7f9b0b5d8bf27e1cc26319733ad

SHA512
5b63f248980d57ee901a4b5ac7b23d245432aadb7fe78ff1dd4352baabfc5406dcee0b4862d14d6f10b64a5291248f24ab40c816d4391ffcbc4bb1ee6fe4034c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
1cbd1fb5c38039d11f8aa77c624f6fa2

SHA1
929db645a72967fe9398e59fab5887e3065582ac

SHA256
207cdca28661e6a17fdfabdc19b3b32e6ca39f3c7575e94a7450980d7fb99927

SHA512
d29a1ffd87e357caae3f920d9566b689662681a5603b37a68c57cd0b74d9069f18869c1942cb34aab4040d80a793e2d8572b2feb3b86ebcbf84878b90d61f66c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5abbc7361d5dce35885ac94dc55298ce

SHA1
9961791a13c2b4940d6aa50187b99411d8b4ea7e

SHA256
37da9d96c2d33abd30a274d8d419a7dab6b865c49b484e395035134359815cc5

SHA512
9b0a7ece87e31062f2036369a57da81b57edcc7dc65f9c401ab9c4b3a50eb624d656df3b2827f0743820d64bdbd5e540794e791e6c89170529183375b2cdbd5c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
b81005b8db9214c8588cd74da060f251

SHA1
9dfc88c8792b6d906cb9356f906cb7302e571afb

SHA256
daaf1e69733ca80fb3ef5d080bf75c8e96d67c877dcf3daf33ccd38f1b7746a3

SHA512
973e57bd551a620ced288f7ad290f8577947fbc04ab94b5321c4928b0c479b03ef069af012bd22a6c3c29a5efa54670f2fb340baa1aa6f1884ec21aca27b9868

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c30e9e9c155bb73e3ad04847e56fb726

SHA1
253e207161b30946a5fb784bb14693a6d104b922

SHA256
366766b6cc5612a294d94fb7008b190a1626d752368b60c1bf2d97a3d1710970

SHA512
4088e5a7af4bb16aca7fa915ef1e7d52a149d2bfe0172bf9760a4011f7f56e50721e1d4e02ce3c1c4835aece80a8df161f5920350144b26e427b7079ee2394d4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5b7d346bb3657ca6c4ea663c0f6e079f

SHA1
6d744ee702e1870270b49bfce1ad1f9370a9df42

SHA256
d1dc469e42971fcb02468a8416b77600500fe3c254402cf9f75f03d471677711

SHA512
b6242e8cee5efd0633fbaad7136f1ad61b36acb8590001adc1fe6402eab8f6dd722a79c0eba2f1389167ac34cde6cef509b691bcb02c6c6f3fef35fca66ce5fc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2fbc70f7570a366bc0b03a7918b102fb

SHA1
e76cfeb9a8b0cb070c3a92b062f0cff44f1e17ef

SHA256
9b2be897dec8190e5572aa6e26670991122bb1bcb38e484b36e7a5c239a6725b

SHA512
de7e7ebac8dbec9632403be78ea78b287f1a2f6474610797a6da3b2db1a1658012872722f54acb3ba122248376395c643487e9649bc85f001d95a2310d61cb9c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\10fcc3a271c7408b5f2ac8aaf766be97\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
fe61614675c3e6a05e1de66714ea177d

SHA1
550283edca18646680e0ec61b7508887bcec765f

SHA256
2e9904a9393855e7fdfe6860055799dc10a42a468beee5ba40caa6a7c1c2f4f5

SHA512
4c6a7c6d62d43477c0f7c4668d73a17b5312e0f5cc263cd2ecf5077b7a7552d87c5c8058fc1e9f43cdcbfc7304e2c7e3295bb24e83941ba06ad9a95a9db2f008

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1fa4c663eb7f4f3f5e7547c8d2849c90

SHA1
7a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f

SHA256
3febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166

SHA512
3a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6a3b1bc86553158a95617535defe749e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
7a7b8fa827cf88028b9c0343a19a25b6

SHA1
1efb4a562852b8730b581d24f4b9bce0290b5d37

SHA256
1d4cb33d2776a9f3ff6bb61767dc3d0a6491b0aea9a3a2058dde2a0983f61d3d

SHA512
79b2ebe99ccd41c0d4fdb4aab570b10182495fc061018ec21b9b24fea5635a01b14117e1618c985c6e1849b7b9706f0ea2b82087f5a03d817447c321f92ee074

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7734e4dda7546d3885416698a8c4471c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
aca4513b45cd73c953d32737d8116723

SHA1
ccb3c927e6b3efd5f5b30418caa2a48bfc4963f2

SHA256
88c8798daf649452dc2fb46c1ac803a2477d3e9f4fc048693e0e6bc9ff12a87a

SHA512
da52767e009322c4d6dada20bf260442138d39ee72fa554bbf40f5b2099ed888105825877c7dfe16e22d212987a3ac1798b2dc63b6ee58ab09fda539690ad55e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5fa0ee7b305adcb523ad593445428300

SHA1
d066900c2d2ac40f938e13af7ce0d062612cfead

SHA256
9a623f46574e487467e9f0f13b80288c0c14594d03d907686a138574086171e3

SHA512
87ad7d567bc5bd7e7e36d13b3d875abec1e66c7346bf573092f3de1c12b17c6dc6fcd6a4b28430d94b8a5acdda36defbe59cdff92e245b94495fc165b0593c0a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
ccdb7fd75e65d1adaabc09f35e660ac0

SHA1
b362ec0d9a829b0e870220e88d5200aa2a1e29e9

SHA256
54fa847495c30b73f13c81861b65d584e8c428df7b5addc56df5f8b5931ee341

SHA512
e0ebc453ae12a962e845aedc66c94ba97b7208100c4591bbd950e0c948ec09186d9a62b3a750e645be93e6dd17f0ebe189e3e3f0ecc22160a4025f281068390f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f7177b880a6a9c876068a8419750a1db

SHA1
79b7230a4bff9ab602ce7a2ebe1008645a643905

SHA256
5faa0eb196c81f507b16f9eec5b5287a5d3ae772e42090e04b9907576fdacaec

SHA512
ddd1241067d65c7d89c7964ef5db15a577702aa6b755d9ce9252da7829806fa005d1cd7089e6e9acac3e91e521008cedb046de09072df74d4a65c8ed50f7f86d

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
99b75e80c6bc8384dfb14d7efb3046b6

SHA1
db74e5279f9b821a6e54c5d1524106fa1911426f

SHA256
8f50e597fd76b1166a36527bdc445990c9b142a4ec998e2c7b209e7c350bf31c

SHA512
bffee0bd145273889c4d196d2ba187f8bb5c6f1fc112f49be63f4ad6c50b1ff101b64fe9adeb81b0caac68c08aeab08473c1687c5340cfc2037e511067c72620

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0895638f7ec7afdeb801c5355470c740

SHA1
e3705bd018c24d737c53b96ff3a9b7f55852f2ef

SHA256
8ef865e2a2647dcc1d0db4f8ecbd978f04d6900b6c4537f5e642b089cd363608

SHA512
24c9de1d83c856d624e519d704f99b0f39076ed4cef31616725981097160497094b67619d534bedc3e58da358652dafb9b0fe617f164e3633f9b5c47efacff6c

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
af7076414f1c05155f8a75b9a39f31a8

SHA1
d20836c2bdee1caaa9a08eb05505ec39126c2579

SHA256
4e4b39d093cb6b58d09bf0ef8291e555fb139dccd29c1707929003230f3ba5cb

SHA512
c760c9bd5afd212f900c0d6936433a8aa78e92271549065754ce5f7437a60cbd1f82e3c1235e99e35237894dbb3989bfd835a7728dd80040e6514cd54c11812d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
049b218f328f24953f05bdec6213a307

SHA1
4e6a3cedc6a7e4fdec2c93a830a36e3642c918b9

SHA256
5de193183f61820537d9ea8dfd8988191d644cc9b35421b3be67098bc9f883e0

SHA512
c151be2140c8289858147c7344e66d9848e931ac14de204ddd3e51bb2df95ed20c84e63e43eda58018b623a88ccf5854dd49da22ffc1fa2fa4ee778fdf061785

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0e42b731fb581aa1af359aa568d1d79d

SHA1
93e8795f765b94b8b5caa2743c5eff06e151fbd4

SHA256
06f4626dbc8a524763d43d639daf51993c44062ed45b362388d4d8de8beb34ae

SHA512
fa77925da61d2450cb04da7bcdc5b5d64ddc514270168d9a1a4bdaa2af0a61dca0012d5c4234846a2923836ae511acfd804edaa85ca04b1ffe04cfa20f5b75cb

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2e2b52d04742b1f78c88958584c8b201

SHA1
8b840e930edbee5dbcd5672ce2003bdbf8e39212

SHA256
7e20e5cd994b9371486f2feb58f84642d1db661924c2c6fd5a22968cb8e807c9

SHA512
2995a2411779c07ebf9224ea8977de3a68457b7d430add905230e1e7841fae26a752ced490fa59fee9cfc31ed74aeee1d683ce8d1dbce8ac37bd099964ee17e7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9e1ef9917465765cc7d57007712b9479

SHA1
dd8e580c3099c9288546325f8e81d8bfba86e4fa

SHA256
4bb0dc9b387838fe807151d5dbb998d4e719d2f89ba99ee584c077c901e0773e

SHA512
7fcb917a76c38eb4857f0b2ca3f1342bb53c2c61bec89430d7522f5387afb3bf665995fabd5ef0d1e9cac18193087d19bfb72c28eb07277a93774fb2bc0c416e

Download Submit
memory/524-472-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/620-495-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/620-508-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/636-622-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/648-566-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/828-95-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/828-97-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/828-223-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/860-891-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/860-719-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/880-672-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/880-322-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/880-157-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/960-675-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/960-246-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/960-109-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/960-110-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1216-145-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1216-307-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1256-570-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1296-636-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1340-906-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1340-794-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1468-364-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1468-173-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1496-591-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1560-543-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1588-901-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1588-767-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1620-469-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1620-483-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1636-633-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1664-519-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1664-505-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2084-124-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2084-669-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2084-295-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2096-648-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2096-323-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2096-661-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2096-411-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2168-326-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2168-308-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2172-650-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2172-664-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2180-787-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2180-685-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2220-162-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2220-160-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2220-8-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2220-9-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2220-0-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2220-63-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2236-423-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2240-197-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2240-893-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2240-184-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2240-745-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2260-880-0x00000000004E0000-0x0000000000629000-memory.dmp

Filesize
1.3MB

Download
memory/2260-798-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2260-708-0x00000000004E0000-0x0000000000629000-memory.dmp

Filesize
1.3MB

Download
memory/2260-698-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2276-892-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2276-492-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2276-725-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2372-393-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2372-187-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2556-102-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-54-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-61-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2592-448-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2660-38-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2660-39-0x0000000000460000-0x00000000004C6000-memory.dmp

Filesize
408KB

Download
memory/2660-44-0x0000000000460000-0x00000000004C6000-memory.dmp

Filesize
408KB

Download
memory/2660-71-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2712-28-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2712-34-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2712-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2712-136-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2740-445-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2740-460-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2800-588-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2804-799-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2856-209-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2856-79-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2856-905-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/2856-907-0x0000000000960000-0x000000000097E000-memory.dmp

Filesize
120KB

Download
memory/2856-75-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2856-73-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2880-611-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2880-600-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2892-15-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2892-108-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2892-21-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2892-14-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2896-530-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2964-902-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/2964-785-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/2976-747-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2976-899-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2992-900-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2992-757-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3012-252-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3012-311-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3048-544-0x0000000003C70000-0x0000000003D2A000-memory.dmp

Filesize
744KB

Download
memory/3048-555-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3056-434-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3056-419-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download