faa74361a18529971cc286d26343bba3a5d4fdee99fc461a4d26b0ec5fec42cf

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
Size

5.4MB
MD5

4d782f275df6dbab2d37808afa65fe71
SHA1

0648d295cb9df08947c1192fc6be23c1d72c2275
SHA256

faa74361a18529971cc286d26343bba3a5d4fdee99fc461a4d26b0ec5fec42cf
SHA512

5516b1939d6b9b4835514b939305f48508d0ead8acc42050c4bb9057dbe4d8acd4401a6771d78c36932a3214997b92e8ed49301258d7684b88099d390dd8b664
SSDEEP

98304:70Ocn0xMTpKZKzRm0fxK2I94pXGOU8ybq5utbATwY2hlOt2vXtZ:70lKuppfs4pVUjt0TWlNX

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2296	alg.exe
2812	aspnet_state.exe
512	mscorsvw.exe
1128	mscorsvw.exe
2444	mscorsvw.exe
2996	mscorsvw.exe
1468	ehRecvr.exe
1624	ehsched.exe
1896	elevation_service.exe
2552	IEEtwCollector.exe
1132	GROOVE.EXE
1516	maintenanceservice.exe
972	msdtc.exe
2592	OSE.EXE
2972	mscorsvw.exe
2076	mscorsvw.exe
2000	mscorsvw.exe
2344	mscorsvw.exe
1540	mscorsvw.exe
3012	mscorsvw.exe
2020	mscorsvw.exe
2676	mscorsvw.exe
608	mscorsvw.exe
1824	mscorsvw.exe
2312	mscorsvw.exe
652	mscorsvw.exe
2068	mscorsvw.exe
1168	mscorsvw.exe
1108	mscorsvw.exe
1544	mscorsvw.exe
1996	mscorsvw.exe
2676	mscorsvw.exe
2024	mscorsvw.exe
964	mscorsvw.exe
1276	mscorsvw.exe
2744	mscorsvw.exe
652	mscorsvw.exe
1540	mscorsvw.exe
1916	mscorsvw.exe
2488	mscorsvw.exe
564	mscorsvw.exe
2036	mscorsvw.exe
2464	mscorsvw.exe
2112	mscorsvw.exe
2168	mscorsvw.exe
1244	mscorsvw.exe
2232	mscorsvw.exe
2992	mscorsvw.exe
2968	mscorsvw.exe
2188	mscorsvw.exe
2472	mscorsvw.exe
2932	mscorsvw.exe
2644	mscorsvw.exe
1136	mscorsvw.exe
2836	mscorsvw.exe
1516	mscorsvw.exe
2708	mscorsvw.exe
1484	mscorsvw.exe
2128	mscorsvw.exe
924	mscorsvw.exe
884	mscorsvw.exe
2288	mscorsvw.exe
2964	mscorsvw.exe

Loads dropped DLL 48 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2112	mscorsvw.exe
2112	mscorsvw.exe
1244	mscorsvw.exe
1244	mscorsvw.exe
2992	mscorsvw.exe
2992	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
2932	mscorsvw.exe
2932	mscorsvw.exe
1136	mscorsvw.exe
1136	mscorsvw.exe
1516	mscorsvw.exe
1516	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
924	mscorsvw.exe
924	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
1120	mscorsvw.exe
1120	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
708	mscorsvw.exe
708	mscorsvw.exe
2488	mscorsvw.exe
2488	mscorsvw.exe
1660	mscorsvw.exe
1660	mscorsvw.exe
1664	mscorsvw.exe
1664	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe
1188	mscorsvw.exe
1188	mscorsvw.exe
2172	mscorsvw.exe
2172	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8873e1ccf1301b95.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2E03.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP477C.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1E5A.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP280A.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2060	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2052	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: 33	2704	EhTray.exe
Token: SeIncBasePriorityPrivilege	2704	EhTray.exe
Token: SeDebugPrivilege	2060	ehRec.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: 33	2704	EhTray.exe
Token: SeIncBasePriorityPrivilege	2704	EhTray.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeDebugPrivilege	2296	alg.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeDebugPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2704	EhTray.exe
2704	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2704	EhTray.exe
2704	EhTray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2052	2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2972	2996	mscorsvw.exe	47
PID 2996 wrote to memory of 2972	2996	mscorsvw.exe	47
PID 2996 wrote to memory of 2972	2996	mscorsvw.exe	47
PID 2996 wrote to memory of 2076	2996	mscorsvw.exe	48
PID 2996 wrote to memory of 2076	2996	mscorsvw.exe	48
PID 2996 wrote to memory of 2076	2996	mscorsvw.exe	48
PID 2444 wrote to memory of 2000	2444	mscorsvw.exe	49
PID 2444 wrote to memory of 2000	2444	mscorsvw.exe	49
PID 2444 wrote to memory of 2000	2444	mscorsvw.exe	49
PID 2444 wrote to memory of 2000	2444	mscorsvw.exe	49
PID 2444 wrote to memory of 2344	2444	mscorsvw.exe	50
PID 2444 wrote to memory of 2344	2444	mscorsvw.exe	50
PID 2444 wrote to memory of 2344	2444	mscorsvw.exe	50
PID 2444 wrote to memory of 2344	2444	mscorsvw.exe	50
PID 2444 wrote to memory of 1540	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 1540	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 1540	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 1540	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 3012	2444	mscorsvw.exe	52
PID 2444 wrote to memory of 3012	2444	mscorsvw.exe	52
PID 2444 wrote to memory of 3012	2444	mscorsvw.exe	52
PID 2444 wrote to memory of 3012	2444	mscorsvw.exe	52
PID 2444 wrote to memory of 2020	2444	mscorsvw.exe	53
PID 2444 wrote to memory of 2020	2444	mscorsvw.exe	53
PID 2444 wrote to memory of 2020	2444	mscorsvw.exe	53
PID 2444 wrote to memory of 2020	2444	mscorsvw.exe	53
PID 2444 wrote to memory of 2676	2444	mscorsvw.exe	64
PID 2444 wrote to memory of 2676	2444	mscorsvw.exe	64
PID 2444 wrote to memory of 2676	2444	mscorsvw.exe	64
PID 2444 wrote to memory of 2676	2444	mscorsvw.exe	64
PID 2444 wrote to memory of 608	2444	mscorsvw.exe	55
PID 2444 wrote to memory of 608	2444	mscorsvw.exe	55
PID 2444 wrote to memory of 608	2444	mscorsvw.exe	55
PID 2444 wrote to memory of 608	2444	mscorsvw.exe	55
PID 2444 wrote to memory of 1824	2444	mscorsvw.exe	56
PID 2444 wrote to memory of 1824	2444	mscorsvw.exe	56
PID 2444 wrote to memory of 1824	2444	mscorsvw.exe	56
PID 2444 wrote to memory of 1824	2444	mscorsvw.exe	56
PID 2444 wrote to memory of 2312	2444	mscorsvw.exe	57
PID 2444 wrote to memory of 2312	2444	mscorsvw.exe	57
PID 2444 wrote to memory of 2312	2444	mscorsvw.exe	57
PID 2444 wrote to memory of 2312	2444	mscorsvw.exe	57
PID 2444 wrote to memory of 652	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 652	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 652	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 652	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 2068	2444	mscorsvw.exe	59
PID 2444 wrote to memory of 2068	2444	mscorsvw.exe	59
PID 2444 wrote to memory of 2068	2444	mscorsvw.exe	59
PID 2444 wrote to memory of 2068	2444	mscorsvw.exe	59
PID 2444 wrote to memory of 1168	2444	mscorsvw.exe	60
PID 2444 wrote to memory of 1168	2444	mscorsvw.exe	60
PID 2444 wrote to memory of 1168	2444	mscorsvw.exe	60
PID 2444 wrote to memory of 1168	2444	mscorsvw.exe	60
PID 2444 wrote to memory of 1108	2444	mscorsvw.exe	61
PID 2444 wrote to memory of 1108	2444	mscorsvw.exe	61
PID 2444 wrote to memory of 1108	2444	mscorsvw.exe	61
PID 2444 wrote to memory of 1108	2444	mscorsvw.exe	61
PID 2444 wrote to memory of 1544	2444	mscorsvw.exe	62
PID 2444 wrote to memory of 1544	2444	mscorsvw.exe	62
PID 2444 wrote to memory of 1544	2444	mscorsvw.exe	62
PID 2444 wrote to memory of 1544	2444	mscorsvw.exe	62
PID 2444 wrote to memory of 1996	2444	mscorsvw.exe	63
PID 2444 wrote to memory of 1996	2444	mscorsvw.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_4d782f275df6dbab2d37808afa65fe71_magniber.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:512

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 29c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e4 -NGENProcess 210 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 25c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 260 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 1b0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1b0 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 27c -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 274 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 28c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 280 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 2a0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ac -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 280 -NGENProcess 2b8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 280 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d4 -NGENProcess 280 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 280 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c4 -NGENProcess 2e0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2e8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f0 -NGENProcess 2cc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2c4 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 2f4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 2d4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 308 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 310 -NGENProcess 2d4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2d4 -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 308 -NGENProcess 320 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 320 -NGENProcess 314 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 31c -NGENProcess 320 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 330 -NGENProcess 2d4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 320 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 33c -NGENProcess 338 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 30c -NGENProcess 2d4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 348 -NGENProcess 334 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 338 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 348 -NGENProcess 1f8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 320 -NGENProcess 350 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 340 -NGENProcess 30c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 354 -NGENProcess 1f8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2d4 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 358 -NGENProcess 348 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 1f8 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 1f8 -NGENProcess 2d4 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 364 -NGENProcess 348 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2d4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 348 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 2d4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 348 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2d4 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 348 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 348 -NGENProcess 37c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 380 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 394 -NGENProcess 384 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 374 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 388 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 374 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 384 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3b0 -NGENProcess 374 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3a4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 374 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 388 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 388 -NGENProcess 3b4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess 3c4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3c4 -NGENProcess 3b8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 2d4 -NGENProcess 3cc -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 2d4 -NGENProcess 3c4 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 374 -NGENProcess 3cc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 2d4 -NGENProcess 384 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 3b4 -NGENProcess 3dc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 374 -NGENProcess 3dc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:1108

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1468

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:972

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.4MB

MD5
bb9e7be77d4dbd06cb42b3242f3f4d76

SHA1
c8ab8c54b0fa6f31ec70b48c30f8e91f6edbbfc3

SHA256
b97d7ac06e07d865716411f9fd068959117b4a4d5d2a79b5f847bd9bf7c3559e

SHA512
089eb9191174228e6bb2398f36ff7b068fc97678346b004afe52c3d0f1c4e5bc899a0615a29ecbda5dfd4dc94a7e00da381490ab7c4262d2d6b937e0e69c9424

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
67d16694499ab6f08999f237b76520cd

SHA1
225516ac3db9eac980c912ce9ad7fb35310e3233

SHA256
8c5dd017b9c526ef8d974fc5c72774644a6cea2ee5c1d887cbeb1a36452b4296

SHA512
6792a2fedb276568c08af1a1c2379e7da6db52c323943f35471d97ef60c317ddb4e82d4f8233fa1c67aaffe92e619317d1608b73616052b963410afdeb4e811c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
fbe3c50fd12e1f2c21b08fea10ccdfe7

SHA1
475f9625c02bbbf7bae34c4e17698d371933128f

SHA256
5689477c25572d27601be32e24385a2366a7abaf85afe9a0f84032b2812a54be

SHA512
f852d11487b88dde07c6f037abbcfe5bd81127dee3e67b40bb81ab94f370b1d0465bbfacda155f0b2cf4a40c696d75d3c3d421a01a51cbd3e464fd038e674035

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.8MB

MD5
3bd2a08c079b328b01beefa087f2cd55

SHA1
26c13e4b31ce1704f2a15422369bd6c5923a0bf8

SHA256
062dabfa3759643764e9e19948623a9aec60ca8ee35c79e16590a0eb78833c86

SHA512
dd22f2187ebb32f126dc736dba9e9b11e2046a53aae9079ab3c9a333da59ee46372ad7cc97c054c47eb7d6415d10ef4653af49260649dd57190da1e86e3388b6

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a80140cb3a147fcae349505ab6793b72

SHA1
c2d11e55f1298c15caf3ba8ddb96dd050b7545d1

SHA256
b1f36e12e0b9b680b5aab55f3351a43fea7bd3b7657f82771a4f73b55cb0c93d

SHA512
37ae1f0114df04d3fa2ce74815a1bf03388d3e75e1e17e6b171873ef3177d0e92a3d39c6e160844a3f71efab2cee19a606a895abe7dfecd9226d23139207d439

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
d2e910f596479a064b394638c01a53c2

SHA1
ff5f13bd142c526926a6331abd141e36529b3d69

SHA256
9edd6190ec897a8ff62c51647cb8c2b3bed9311f4b66de38e8c2fc02d2f4990c

SHA512
32ab8d3ac0a355142358b8a73bde216241530cfe3eed7f1e03c7df538939832a568ca9efb043cea2323c4850c630df456cb7846a2ff35290dfb42c3fa28d81b4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
cf8e7c4bc74a2ea032f76b1ae6dc180f

SHA1
ea8595260855fcc84d5c6add36b709847837b00c

SHA256
d688a03956e8ae94a1f80e32ae18eb9b49dc4e708af4ddb02a3930e0a038997d

SHA512
0618539379de1d52e3c2dadaf475fc0439a777883edc8ebbaef75832631b678cbf40f53734499e8b154148a9fa8aa43fc4ba26e3526ea0396020c8586db20d21

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
89c85cfbc43574c9d420f981b432181b

SHA1
c425dfdf88c006727e4a80987d1586b7deec785b

SHA256
be1bcd814cf642487ee794948bd99d6291f826d086bd254d0b8f4acd4161fcf2

SHA512
a23c67b474de4ca4fd1c068f9985bc3c4b344ede214537258ccab026f6a164d0322998a43b21a85b3dc2405a9c7349cad4593535916110b7fe14cc0ff25c575f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2bb3d26a59997cac4c286b1196a8e1ad

SHA1
cadafa626c7f3fbd5aaa36334e3579ee1a5ef0de

SHA256
f8218935ba6924b9614c2d5e74ac037ea0223a3c4811bf32381c24afa55f3fb9

SHA512
330f668d479d0a7ca704e61704b9c92be2ce36997ec031343d0550ba7c5d0bf3c5d1eb17a4158cc22fd6ae5aab5138af457a7981d92f0067547876d75470f6cf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dd897805212a6bf85b13b7c24ccc59f6

SHA1
e6a4dc6b21c87e4850f52248b2fbed4389e93e9a

SHA256
5116750791a1b8296cf02c272a582c3afd36cbc3d0fa1fe69024e6e8027354a4

SHA512
0c1e25ecdf966ff9c3ba69ab0de71258b8e4aabf1b286eea1c9c672613f3b1e774ba3e064b969053df731f07f3e56505771533e922fe63fdddb8a31882dbcfdf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
26aaa0525639309ef5cc71610334a40b

SHA1
7b4f711205352ea085eb1c27b4e00a0ece853468

SHA256
0b23006dd8f015099df315ea54dcc7d5583798b41c49cbe8303aec4af5b6a3fa

SHA512
a38e19a7b3cd99f8f8c853468963e082f0e3a710d0e3bae71e29c7c0f2c8b12af5b82f927d36bc6bbbf5c8d13b436595e22b33e6c8471f194c8b55f9567710bc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
a83713958f66ec549e379016817ddcc8

SHA1
c41b19e0f5eefd62c9864876d832754df5e7322d

SHA256
f38de7f854b7b439b594ee1dc8fe5a88cc4c741cdcdf080f517efa57ad0b82c2

SHA512
76ce24f2770ec04a54db1c3d3d3292bb16a5b53cef3f2da39da4043d03b1da6b2bd99e99333841678816c87e02f68b537a9865a473d0161e7b3dbdebe8032867

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ef6afd25c405aa44ed2c726da4384318

SHA1
8340bf31d9e6707ca8e69023540320117a037727

SHA256
33a5b7d17d9c46e12ebbc0ef25fa0b9c824caca8fd15a4ed83673d86f7035fc0

SHA512
290ab703f415ac5da8de36b92e4926f2b81f61d679dcfb5a5d4196ed1fd2a9ba7be86b022a5b95a5017f30e41e5200ef816a2d1ca34204661a9d44df58592144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37a6e0fa82f52a96c055a73607aaf4f3

SHA1
a15abb99c0a4ff79fdb1c385c17c530d0ddc9489

SHA256
b697db230ab935ac4ed2c765f3c9d5732708331fcff4181575660bf3aab0223a

SHA512
9c754d8de6bd30fca7a8c7166710662055bae0881fa7024eecf991e23d0c063c3b23734f808df3a9778ca8e5eca2b9411d42f44f14b75278259931328111112a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87edd8a1380451d74b56395cdbf80674

SHA1
942673a392d72800592409965c07d38266dfd0e2

SHA256
7c905f67a631299773781e9aff87413919408cdc73c7c78134af7bdf51a12445

SHA512
b3b801efb902369c157ad0306046d3907183d452cd6e6cc4cea6c12c08afd1dd8bc826f63e02512976b3f1df347050c06e3b8d721a63a4c4610cc61175698d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77dd5a5954ac5a943ac945c73045361d

SHA1
9bc9349cae8f863a176d2235e3497aaec27497c8

SHA256
9fa63716a4d0342ca06a1baf05a4ce1e1c1a695d5950472e2c815acbed852d42

SHA512
a33361e99e8cb8ebc0496781168ad89460a7cdc56b8abfd2e85a37f977052b0da75b85e9f61acae15bd51d1c26d1fab2db9a04bef7b8ba9135b19aa14532b043

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab758F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar769C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
4c5469ecf998b0d53413858bae9436af

SHA1
b3d0e586a8bb3b3b3733f2268b8037b9a88f262f

SHA256
a61c337445509abda7817e9dcdae93c12168768cf50a678eaa9d8073247f1afd

SHA512
45838c3188a066a809801c4ec1a3e4bc39b85de040d891e6820a37c3daee8f0f8458d6ddcb6109448e13774b0a8068047e9643443c74e5825fdc4482876f9fb4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8ec8384590b3405831f4889691dd560b

SHA1
eecd7c4bab94bafeb66b81983abe1b2d338d1eea

SHA256
80064c4f29d3d0f2c424bff2b05dbbaba10cd22e5b915a08bc255bdc3bd8c321

SHA512
47c83a57fdb5d4f3a72005268a7f33364ad55257c4aa6f249ea31cb7f57c6378a1e97795b7c70791e534bb007e23b5b4238a6491e8524eb61a8125522580502f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
d3f6e985689d6caef480f9ccfc145619

SHA1
61f3792368007ab6d6eafc8354aa2de03657e4b0

SHA256
be9847eee4493231efbc3672d5b55f06b06917fc6a59386fbcee7b508aeb5b6b

SHA512
e0fcad3e3d33fdffbbaf07bdd84d55b5110707f3cea6631b7fed54b9e337eb27accc48ac2d9dfa8bf38d604a1fdb395ff3c2700e9d05541f3bb9f9cac8f7351f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
3ee32187f4368688f67be9ec43785a5b

SHA1
918af6aff0aae6de6e97abbff6a007293943b24d

SHA256
552734b460ccf7a8a978691454147d56aeb8e40fbd2449d42f8296abc6c4aa5d

SHA512
06c984177b25335b2b6932d5bf6260832110be9d8461a6dc768faa9d1251b29760cf0e06e571ddf2dbfa5ac84397220b82f978c693218bc2523c1f50009a145e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
8dc40e41367f78e4a83fd135576155fa

SHA1
ce2c82b57d2589b9ece5306d1699da412d6f9a66

SHA256
0541fd66ed907b5d12a2586d5823fc60fc804d6998abb47fc79a3ae05b626902

SHA512
d2f0330d013a0c0686c71b065eda704166a324bc925a6e13d4d344cce2e9821d9d1c7fe91da127d835e7dba33598a0a9fac404907305ca18917593baa814b037

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c9089b81292e04e8d8e4af1798947ff0

SHA1
a774b6c679c2ee1b16550aff4c824666a33b5523

SHA256
3a7a601d9b40d966efca5f4db042216d26e7673a1781a8d5188f952ccb121bce

SHA512
8ad4fe081d8495d22689bfa9d57c0e3a515d6c0a69598d67906e91accf238613cf0f9bbedfe7d45a920afc5d7ed763b1cfaea71bd14f04a2a13f0aaa664a9fc0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
21a856224a2acc1b1875377fd1f8387c

SHA1
e965d791c386957f2fb6788310bc7c2510f1821a

SHA256
7f59fd3857b016c48939944e7704d49a9bc24e227064cfa2bae77ae31366b3a0

SHA512
0c6e987e8fdf83f52f84372253590e155bfd833d0a9bc57d7dacdfc00ef46882ef9474b532854f0e319f1fadf03693be6e57c3f571cb075e9f00af895ae8dca3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
95bb194cd39fb02349fd3e99ae5bffe8

SHA1
bbc5d21b4a89498aec01e4c42cf6abe9a38459c1

SHA256
ea73e9b693a7be4a92ef08795e91fe1c0fe3ea878b9226c97f243e7700769c79

SHA512
62b20b586f859a96605df09bd53849db5919990f3d7c9c4df0a6b6696386ff5bf80d9b10ceecdc077fd021e777b3a10032abac79ac620dcf67f732b6d33e59a0

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.4MB

MD5
0687a9c84d510587c47f6273ac855a40

SHA1
20796c4ade5741d455d7f090566722f0f3e410c0

SHA256
2a57439414abee07a4c65da658094b92460e047b0f041945630ed8b78456027f

SHA512
c12a70043fd9894eb5d82d3fe60cebdb93876f2270197d75ba2a36fb911da106693c3b897d973d4e803bb65564dd627d992b03b781f33fe9ee89800b25d4f62f

Download Submit
C:\Windows\Temp\CabA841.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarA9A9.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\46b53a8002db7d67c327339ab28af756\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
83f763f84caced15e8f4cb8459be90a4

SHA1
fe552cd38a03a5fce376879dfc11bda5b8b2fc29

SHA256
e52c54658660dc33995efd0ab2be5c35f5df278421665d744ab559e8fc3738ed

SHA512
c9655cfccc4446dfe8e4bcfa4522cb4e6048b45c286c00687dc55261d3e83e7ee8a6f1e9c2ce3515309095e3ef8f763bfb3e91d929361aa35a3969fad6fdee81

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6dd2b97ef9e30772d24939afbc874d03\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
23ee98cf74a90bf59dec6154581dc970

SHA1
8a3dfb14068b3899d56c378187a2ef6f776a7588

SHA256
ffbd6b7d45888cded2b460053c7d627e162ff655a0c4141feb3777c50f176f1d

SHA512
fe54c743a0d32b15a10d60e222a4b8d63d3212b7a8b5ced43a64de075b1c3620a6d4fcaaf0d9b7fd16af8c72834af566e8128c82672f7f40e826c84b24fd70c2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\897c7c9dc0d4357c7cb5f8850bcb9eb0\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
8403e96b94702d2916c1e37acac61acd

SHA1
757b2210e0b1dd4bd2126a1deb38fdcaf23e6b87

SHA256
5e2e55d5eb65d7106b90b3c9654389582cf73a0d456fab26fbe1df6fbf6ea91c

SHA512
90dcc4ffb34dff6a3f360b22cc5aced05bbf6dcd903a5f4ee52456d9703b6386b2b680c42a6f27279acde5f5626d4b29aca7b40a13a239419f6f25157c035e30

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cc8411c4f638ca081a921027d50f4986\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
0615578a0255e9cfa67dacee0cd7cbe4

SHA1
1d5b4b28d759eaf6f53d4480596433cbee423b31

SHA256
b31ded73e60515ed2843a70ff846b1de3c969087a281a0e1cdacfe5dc9158d12

SHA512
1527e5e778e5b242fe16db54b9e4459c614cfaece085b4121201ee50725978b53b55c1353f81b06dad9d4a3d1fa5c6babd0e250ea453d743c546d1e2adbaffeb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.4MB

MD5
0891c811d757eee028d622433f4d9177

SHA1
49cd282dc0fbd57fb8f210c0b84f56edcfcee832

SHA256
936b08a5a31aea80eff00273b1e66a152dd8551004c24dd8f34cba1d51c5c0cf

SHA512
4dc7bbceaf5d473bf314ea0ea2681796d944ecdbe33ef57ac708f8425aab1d0a4b3ca5b65eca24b4f6db47ba9a932c74dc41c32956ad9f4506a6e8efdfdad32c

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a250562f28ac749d4e806f3497f713fd

SHA1
bc2ca0e5ee040d487097a4e28ac9151ece896897

SHA256
5a243f76461e495f147f42622f119c7d0d857a7a2644d90aa73adfda459d4af5

SHA512
e017ccc750848bbbd035f22e337ebf73231e18c59dcaeba7ac8cf2af748ad5a499fcaf9780ae7f23cb0021de5dc4b0617eb12b0348dfc97b05a2da59524518c6

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
cd038a958be43de40423b90bf1e37a3e

SHA1
4b1c97ad90d3fdb1f28667395aeee615819da86d

SHA256
2847a057a78c276bb053bde9d712131be7b7bc76d672752e7c66be4ac990c793

SHA512
2b8b13f6cdd1b28fc89f11c58dde0b16058e47aa99335b3bfb05b88e58574563a9edd41b675bae65ccf9d1a412591ab6393d4b863570bea69d07e84536f2e880

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
745550ba847e03853340840b1b50516a

SHA1
23e47fa1000b4177d4e92635af04a865f8279553

SHA256
9408d3fc47d77f7480c381d5059a05ad4454a8346d5774ce0fb326253fe54f38

SHA512
a734231631143236297460e481d4d231bb3353759dec6e5cd0e064cafe07d6c1d95684846edb217de50e5f85fe84c1eea80ae87835f297144d74f6122b9f0c6d

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7bff1f86c4e5d8d0caf83c7efa31c880

SHA1
5543afdb8e866fb9fcb6e5b8ed51ab70cbf571e2

SHA256
116c290823e8c69681204f6b1fec14ba310a1a6e818244e8e3a23d44ce650c07

SHA512
04d6613e9f9eedc4f074cef00385577b071464c5aeb2c1817f9793823000d6e2aa8f1b1645055e756010455c36b9b92b94a9f7f2973e2130e64adebdfa06db48

Download Submit
memory/512-43-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/512-49-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/512-44-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/512-158-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/564-919-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/564-939-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/608-661-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/608-689-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/652-861-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/652-850-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/652-718-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/652-730-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/964-813-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/964-827-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/972-631-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/972-378-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1108-767-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1128-129-0x0000000010000000-0x0000000010160000-memory.dmp

Filesize
1.4MB

Download
memory/1128-170-0x0000000010000000-0x0000000010160000-memory.dmp

Filesize
1.4MB

Download
memory/1132-593-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1132-362-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1168-747-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1276-838-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1276-824-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1468-225-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1468-890-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1468-203-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1468-209-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1468-194-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1468-456-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1468-224-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1516-394-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1516-365-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1540-872-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1540-616-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1540-595-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1544-772-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1624-235-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1624-515-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1624-243-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1624-881-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1624-241-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1824-693-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1824-686-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1896-275-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1896-281-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1896-542-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1896-283-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1916-873-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1916-876-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1996-771-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1996-789-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1996-780-0x0000000001A60000-0x0000000001B1A000-memory.dmp

Filesize
744KB

Download
memory/2000-544-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2000-575-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2020-628-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2020-650-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2024-814-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2036-951-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2052-185-0x0000000000400000-0x000000000097E000-memory.dmp

Filesize
5.5MB

Download
memory/2052-393-0x0000000000400000-0x000000000097E000-memory.dmp

Filesize
5.5MB

Download
memory/2052-7-0x0000000000400000-0x000000000097E000-memory.dmp

Filesize
5.5MB

Download
memory/2052-9-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2052-0-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2068-743-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2076-519-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2076-530-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2112-970-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2112-969-0x000000001ACB0000-0x000000001ACBC000-memory.dmp

Filesize
48KB

Download
memory/2112-974-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2112-971-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2112-968-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/2112-973-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2112-990-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2168-994-0x000000001A950000-0x000000001A968000-memory.dmp

Filesize
96KB

Download
memory/2168-993-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2296-234-0x0000000100000000-0x000000010015D000-memory.dmp

Filesize
1.4MB

Download
memory/2296-13-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2296-19-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2296-21-0x0000000100000000-0x000000010015D000-memory.dmp

Filesize
1.4MB

Download
memory/2312-702-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2312-721-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2344-571-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2344-586-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2444-163-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2444-404-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2444-169-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2444-162-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2464-952-0x0000000001970000-0x000000000197E000-memory.dmp

Filesize
56KB

Download
memory/2464-954-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2464-966-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2464-950-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2464-953-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/2464-955-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2488-926-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2552-293-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2552-887-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2552-567-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2592-639-0x000000002E000000-0x000000002E16E000-memory.dmp

Filesize
1.4MB

Download
memory/2592-403-0x000000002E000000-0x000000002E16E000-memory.dmp

Filesize
1.4MB

Download
memory/2676-802-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2676-664-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2676-647-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2744-842-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2812-26-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2812-297-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2972-523-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2972-460-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2996-183-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2996-177-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2996-189-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3012-615-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3012-625-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download