wannacry | 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38

Analysis

max time kernel
113s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Size

4.1MB
MD5

a859f6bf1bbb4df6c23bbdc0d4cae460
SHA1

992d843bbbf6cfcc9ecd33f978554955b4044554
SHA256

087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38
SHA512

03be0abbc579b48507aa7441b3946e7a6a8dd23a008006510dcc79a99e347fae4c429a00422c673a92f2d7f5036a68cc0359b1464e3642233838735c175ef6e3
SSDEEP

98304:IDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HFbx4uR:IDqPe1Cxcxk3ZAEUadzR8yc4HF2

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2202) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 62 IoCs

pid	Process
464	Process not Found
2872	alg.exe
2172	aspnet_state.exe
1120	mscorsvw.exe
2616	tasksche.exe
2128	mscorsvw.exe
1532	mscorsvw.exe
2240	elevation_service.exe
2432	GROOVE.EXE
524	maintenanceservice.exe
1528	OSE.EXE
1092	mscorsvw.exe
936	mscorsvw.exe
1804	mscorsvw.exe
2780	mscorsvw.exe
2884	mscorsvw.exe
2064	mscorsvw.exe
1944	mscorsvw.exe
2192	mscorsvw.exe
1440	mscorsvw.exe
2308	mscorsvw.exe
1544	mscorsvw.exe
2484	mscorsvw.exe
944	mscorsvw.exe
2532	mscorsvw.exe
2736	mscorsvw.exe
2796	mscorsvw.exe
2260	mscorsvw.exe
1448	mscorsvw.exe
1180	mscorsvw.exe
2216	mscorsvw.exe
2460	mscorsvw.exe
1564	mscorsvw.exe
684	mscorsvw.exe
2632	mscorsvw.exe
1608	mscorsvw.exe
2932	mscorsvw.exe
2500	ehRecvr.exe
1624	ehsched.exe
1076	IEEtwCollector.exe
112	msdtc.exe
1868	msiexec.exe
1096	perfhost.exe
2484	locator.exe
1956	snmptrap.exe
2476	vds.exe
940	vssvc.exe
1964	wbengine.exe
2296	WmiApSrv.exe
1588	wmpnetwk.exe
3068	SearchIndexer.exe
2972	mscorsvw.exe
1484	mscorsvw.exe
3140	mscorsvw.exe
3256	mscorsvw.exe
3428	mscorsvw.exe
3608	mscorsvw.exe
3740	mscorsvw.exe
4000	mscorsvw.exe
1020	mscorsvw.exe
2416	mscorsvw.exe
3140	mscorsvw.exe

Loads dropped DLL 20 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1868	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
736	Process not Found
3428	mscorsvw.exe
3428	mscorsvw.exe
3740	mscorsvw.exe
3740	mscorsvw.exe
1020	mscorsvw.exe
1020	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9507cf58f1301b95.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\System32\vds.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\System32\alg.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{81B62077-4199-45EB-921D-6EB76AC289EE}\chrome_installer.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 52 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAFB0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAAB1.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA757.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\WINDOWS\tasksche.exe	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ba000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB7842C-ACF5-46F2-AAEA-B7EC40169877}\WpadDecision = "0"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB7842C-ACF5-46F2-AAEA-B7EC40169877}\WpadNetworkName = "Network 3"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-b6-bc-7b-95-ca\WpadDecisionReason = "1"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-b6-bc-7b-95-ca\WpadDecision = "0"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{89761EE0-5DED-4096-9E93-4ED7A6E5D37F}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB7842C-ACF5-46F2-AAEA-B7EC40169877}\WpadDecisionTime = a02c589f991adb01	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-b6-bc-7b-95-ca\WpadDecisionTime = a02c589f991adb01	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{89761EE0-5DED-4096-9E93-4ED7A6E5D37F}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1932	ehRec.exe
1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	948	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeDebugPrivilege	2872	alg.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: 33	2940	EhTray.exe
Token: SeIncBasePriorityPrivilege	2940	EhTray.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeRestorePrivilege	1868	msiexec.exe
Token: SeTakeOwnershipPrivilege	1868	msiexec.exe
Token: SeSecurityPrivilege	1868	msiexec.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeDebugPrivilege	1932	ehRec.exe
Token: SeBackupPrivilege	940	vssvc.exe
Token: SeRestorePrivilege	940	vssvc.exe
Token: SeAuditPrivilege	940	vssvc.exe
Token: SeBackupPrivilege	1964	wbengine.exe
Token: SeRestorePrivilege	1964	wbengine.exe
Token: SeSecurityPrivilege	1964	wbengine.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeDebugPrivilege	1656	087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Token: SeManageVolumePrivilege	3068	SearchIndexer.exe
Token: 33	3068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3068	SearchIndexer.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: 33	2940	EhTray.exe
Token: SeIncBasePriorityPrivilege	2940	EhTray.exe
Token: 33	1588	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1588	wmpnetwk.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe
Token: SeShutdownPrivilege	1532	mscorsvw.exe
Token: SeShutdownPrivilege	2128	mscorsvw.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe
1500	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1092	1532	mscorsvw.exe	40
PID 1532 wrote to memory of 1092	1532	mscorsvw.exe	40
PID 1532 wrote to memory of 1092	1532	mscorsvw.exe	40
PID 1532 wrote to memory of 936	1532	mscorsvw.exe	41
PID 1532 wrote to memory of 936	1532	mscorsvw.exe	41
PID 1532 wrote to memory of 936	1532	mscorsvw.exe	41
PID 2128 wrote to memory of 1804	2128	mscorsvw.exe	42
PID 2128 wrote to memory of 1804	2128	mscorsvw.exe	42
PID 2128 wrote to memory of 1804	2128	mscorsvw.exe	42
PID 2128 wrote to memory of 1804	2128	mscorsvw.exe	42
PID 2128 wrote to memory of 2780	2128	mscorsvw.exe	43
PID 2128 wrote to memory of 2780	2128	mscorsvw.exe	43
PID 2128 wrote to memory of 2780	2128	mscorsvw.exe	43
PID 2128 wrote to memory of 2780	2128	mscorsvw.exe	43
PID 2128 wrote to memory of 2884	2128	mscorsvw.exe	44
PID 2128 wrote to memory of 2884	2128	mscorsvw.exe	44
PID 2128 wrote to memory of 2884	2128	mscorsvw.exe	44
PID 2128 wrote to memory of 2884	2128	mscorsvw.exe	44
PID 2128 wrote to memory of 2064	2128	mscorsvw.exe	45
PID 2128 wrote to memory of 2064	2128	mscorsvw.exe	45
PID 2128 wrote to memory of 2064	2128	mscorsvw.exe	45
PID 2128 wrote to memory of 2064	2128	mscorsvw.exe	45
PID 2128 wrote to memory of 1944	2128	mscorsvw.exe	46
PID 2128 wrote to memory of 1944	2128	mscorsvw.exe	46
PID 2128 wrote to memory of 1944	2128	mscorsvw.exe	46
PID 2128 wrote to memory of 1944	2128	mscorsvw.exe	46
PID 2128 wrote to memory of 2192	2128	mscorsvw.exe	47
PID 2128 wrote to memory of 2192	2128	mscorsvw.exe	47
PID 2128 wrote to memory of 2192	2128	mscorsvw.exe	47
PID 2128 wrote to memory of 2192	2128	mscorsvw.exe	47
PID 2128 wrote to memory of 1440	2128	mscorsvw.exe	48
PID 2128 wrote to memory of 1440	2128	mscorsvw.exe	48
PID 2128 wrote to memory of 1440	2128	mscorsvw.exe	48
PID 2128 wrote to memory of 1440	2128	mscorsvw.exe	48
PID 2128 wrote to memory of 2308	2128	mscorsvw.exe	49
PID 2128 wrote to memory of 2308	2128	mscorsvw.exe	49
PID 2128 wrote to memory of 2308	2128	mscorsvw.exe	49
PID 2128 wrote to memory of 2308	2128	mscorsvw.exe	49
PID 2128 wrote to memory of 1544	2128	mscorsvw.exe	50
PID 2128 wrote to memory of 1544	2128	mscorsvw.exe	50
PID 2128 wrote to memory of 1544	2128	mscorsvw.exe	50
PID 2128 wrote to memory of 1544	2128	mscorsvw.exe	50
PID 2128 wrote to memory of 2484	2128	mscorsvw.exe	51
PID 2128 wrote to memory of 2484	2128	mscorsvw.exe	51
PID 2128 wrote to memory of 2484	2128	mscorsvw.exe	51
PID 2128 wrote to memory of 2484	2128	mscorsvw.exe	51
PID 2128 wrote to memory of 944	2128	mscorsvw.exe	52
PID 2128 wrote to memory of 944	2128	mscorsvw.exe	52
PID 2128 wrote to memory of 944	2128	mscorsvw.exe	52
PID 2128 wrote to memory of 944	2128	mscorsvw.exe	52
PID 2128 wrote to memory of 2532	2128	mscorsvw.exe	53
PID 2128 wrote to memory of 2532	2128	mscorsvw.exe	53
PID 2128 wrote to memory of 2532	2128	mscorsvw.exe	53
PID 2128 wrote to memory of 2532	2128	mscorsvw.exe	53
PID 2128 wrote to memory of 2736	2128	mscorsvw.exe	54
PID 2128 wrote to memory of 2736	2128	mscorsvw.exe	54
PID 2128 wrote to memory of 2736	2128	mscorsvw.exe	54
PID 2128 wrote to memory of 2736	2128	mscorsvw.exe	54
PID 2128 wrote to memory of 2796	2128	mscorsvw.exe	55
PID 2128 wrote to memory of 2796	2128	mscorsvw.exe	55
PID 2128 wrote to memory of 2796	2128	mscorsvw.exe	55
PID 2128 wrote to memory of 2796	2128	mscorsvw.exe	55
PID 2128 wrote to memory of 2260	2128	mscorsvw.exe	56
PID 2128 wrote to memory of 2260	2128	mscorsvw.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
"C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:948
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 28c -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 1d8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 208 -NGENProcess 1bc -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 258 -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1bc -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 238 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1bc -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1bc -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1bc -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 280 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:3448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:3572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 24c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:3396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 278 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:3856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 290 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:3812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 1bc -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1bc -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2a0 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:3188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1bc -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:3444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 298 -NGENProcess 290 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:3512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:3724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 290 -NGENProcess 2ac -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:3224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 2b4 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:3872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:3160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:3124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b4 -NGENProcess 2bc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:3076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:3588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a0 -NGENProcess 2c4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:3572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c4 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:4032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:4076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2a0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:3708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 2ac -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:3740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ac -NGENProcess 2cc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:3620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:524

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2500

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:112

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3068
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
fe440fa46e1693e2ac2fc4ad21489595

SHA1
ead4ecc800ca689c0ffb3dcc9e29a8218eba3536

SHA256
34a319662edc74310a8f658eec24e1bbee9ccd98f1c723d14bdcb00342b5deb2

SHA512
a9a7dcc22e09af378f1df5c980066f088e46612e8fbe20a8b86ab3f96d6d4ff2ef4ad8c34701ee83bfb17ea14eb83617a710c444f579ab5dbd9e130b7b7665e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5ebc2e02091034d09982f4a67ebfc2a6

SHA1
7c837f63d18d5416d726d10666975c07d9754fbd

SHA256
d8d3499b8198faf2fd603b299e0900940f36a848afb0d4b341c6534454e37376

SHA512
387a85d8b47d8905ab0ee2186d0ed0b5545a26eefcba8267dc4949e0ab5b3e6097eb0ce416efe6e540c1cca156489b125f5e9618b582a308cdefefa5c2be9548

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c31770c6e60d5baec36e43581ab480a9

SHA1
218aae518987ceaca745a4ec08ad8327507e1171

SHA256
dc1aa54f59aa44728888c2ae22e4f154abd36de6df0d59a412a051c8cc741c69

SHA512
2282694ce8f14df5e37d94ed400a2394c7eabd2691966325c11d3eb62e44f1ef8c5fa8ed1a4d185160e43f5b6ebd9f28995512fdbbceb3ee4ba3c03740687364

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cea245b64fbaf8c5dccb97f86c9dae09

SHA1
203507c22cb9195fe2954eae242630116ebff2e3

SHA256
1f4d789a1b7c7c8dfe041d61acca04b0b8d4671a28cd06bcc5ab8fd959ee9390

SHA512
875f0f36bdef2d3b663bc769c8e68083ef931386e1ab00a0166e17c5368cce858b07faddd584d35f319bc5bd930cb1ede97ce4551613a0d70b2a1b0f63e9fd3c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
1b2f65afbda6cbfebea33fef7eb74abb

SHA1
ca561f4001ce8b1835eadc70df9a45a5395fa341

SHA256
609818d66d5b0fa4eaae604d6a0821db0b1bc7736e8428bf175bdf3dec91dbc2

SHA512
e56299ef6da60466c54b5a4a85b5d46997b321de2d222f0ec24393f6fac20c0c900d1d68e644401e293180f38f3e88ac1169e218fcee92493849f23405dd85aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8196f230e0e8567c96cb6580f1e17d29

SHA1
de54e5165bcd2284aee6583713977d18f0a404e3

SHA256
aaceeb03210caad88ad1bdb127d957729232a113c0a0c689b549c670068b8c9f

SHA512
52fa995519e564b52da53204d5328d334006ecbca55e75ca0b4b2649975a091fb612847b966c5594a4e01a699c15cc8377c54c0a3f22e67fad98b2bd1df1c0f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
6913d3e4c78b9f74e37676129e591f98

SHA1
8f51a7ddcb8c4017d20a68d589a6a67c759b4cbb

SHA256
996f238f79cba46bc3c4447f6f8f70eb6e0cf8ce12add525346ec0572909f602

SHA512
d96dc841353f56979c9ae945095780e48b92e019b0e3379cb825803a70f54986cdc30946073d077f2092792594bcb0b5a69b8b35c41d8b2653af5e0c8e6822ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
398cc0ea79232dd8635a0b911cc98af9

SHA1
4f79519fe1361a871217c42017b1e01c0b9484b6

SHA256
6168e962400a3e9037c269cb36f8182cd5efca3f38b929a6fe384a8c5c33b4b0

SHA512
3adae0a9363d4b6099bcd13a2fc08deaf4ffb935ec520061513007c972bbdcd0c95fefaf1a52ec69ca5c1b265a7ac04d503df34a887b306c7f8cc67f865c7627

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9a01ce14d0ab5a420e7b6022a12afeee

SHA1
41ae4522e4d41d383463e3b46c674d94ab68505c

SHA256
a5ac08bddae79f25cf49afb9882029e959a4b68afbf9948dd6bb5ffaf27bd689

SHA512
20d16e6bd2fc41321d7728876164ab89595346295583b9f89351a755fb88d6c17e7fd13c14cf17988bd76111966a454ba260e33b7c17f66d32ec4a06bd682aab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
924d4aba22b549ffbc38453e061e4e5f

SHA1
287977fc11185855418d3c07ae1d0237c2378b85

SHA256
955c74552fb70870ecb0371ab74badbd6de1716928526ea95e76956b47c2befb

SHA512
233e2106e2968ae3486c959cf752f3c267e9630e6c329d9a581315cb4af132b518e9d7bfb761330ace0b903e6221dcf635b901ddf101900cf91b0b0b04197a5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
52e52a5c69c5e92af85e4e9484c598d2

SHA1
d5ddfcf7609a98338c6957335233d7ed57ecb8e8

SHA256
9e45e96be32edc48093710a5806c95258499227520395ed86ea771f4dbc52253

SHA512
5022a0590cf2b34d411ccec2f1d4c95f5e373cd8b57373c4140804422128eff5259656a6bbd23e081c8d19b7e8535d3e07d10dfe08dffd667bd13686c2ca3b5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
3550a2bfe1dfe96906346f8410704132

SHA1
2f6a155e0d3715f1e9f47715c5f8b0d9198aa927

SHA256
74a756fafc4d9125f5f37ccc448d4e287e2d265d1d03a868b2e38190a94e4c57

SHA512
03af66a21e89260bb183beab40a6b61d9ced345f7b3714fa612e32c69e0f9a59ce0e712e0c37238cf74360d2f496a582dca31f983f6e3740b4eab3881a10b9da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
91082d8d01754d160d12c14668fc295c

SHA1
fabbc0f124712631217a67a8c55ea5dfb8a6bf35

SHA256
41ce0899302243255b6c1666b526ab10957ad884bb1475e679f948c93aaad47b

SHA512
9dfbb8d3f3e53f6a2c895e5abc45707f0f2b307a0a6ec54ef818b1af51b10224f5e72ac13ed788e38d75889fab2e6a31c7b94e6c265de2c83a3f2a949f5ec273

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
5b09774fe17d199a2de0341fd9b7aa48

SHA1
d5c927a60ffbd6619902a15d2146839c24a9cd06

SHA256
d6a67a3f98d05ef6301d4552b98dab74af218b50affcafa5e47894ed4f126fb5

SHA512
f942a7302d65ed049c1ce4c29fb22299e29e3ae727e01085da5c5643835bd3b85a49db8eb81aa0e3a823b09969399ea4f4985b6d7bb2b2255419d1e1533a581f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f9b158c8a233dea71947f52b454dfa26

SHA1
961dd7fa67c4c68908e21b8ee52c5fa08061c927

SHA256
f379b67f51e79ccc83d479c77043aea57bc8b5aee2cd41ef2d06013409672224

SHA512
0e8910d6554f17be8b2d12376bb25aad57a4474187b45c867b5c129f716fcf34d2ef960cd3c5d0f03dc53f4766d149922804aebbe34221961424210a9067637d

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
f00244e96563ec7bbc66a9a25d3f0b4a

SHA1
b10e7d482dd1d5cc57ac2e1873aa6b90810669f1

SHA256
90d8cc2cb0e9be3d63754fdea78e55fe876551358041504997e4bbbf034a868c

SHA512
e752b3c7a8cbbd3a4523d1077d9cfe685c75cd6bc7c948be278d373f7d8bdb9553e25972d33d3b6193acaaf1eeb1aca9f4f3c8075d46ee08fbba5257865ca35b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
0062b178903c08a3ece4a0600f9b8955

SHA1
7ccb10bee62581827e1090a6f5b39f6e9c157dc4

SHA256
86d3f52c8303672d310eb30edf7497e3ffa89961e8b4641ba32b7072c746574c

SHA512
4d4537173336337936c841837ba4aa51e35314ff0d332aabd342f71110d7b700327583bc5e900f19ca5208413cfaa13179aca38504fdb87d798231223e9aa997

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
a3d82fffd0afe8b0a31acbcf15f48510

SHA1
8a6e5379591573c98049ec9431965ccb51cd6833

SHA256
a3f9372b87f32e708fbd2242401f0589d94901fc78dd534f0f3340c668da70ac

SHA512
ee1fa4cd329d45b4bb28a0a4a222599c5ace076d325ecf871fdb250e068f2d483da2c40c7af3e3fe3f943368871728c4b9a128891112bd1113131d7dcaed9f05

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\26afe82d0cb37b64a01a64efd1f06202\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
2f71e7560517a24cf7b41259c96beb32

SHA1
774ddbe2b2e8ee11cac98a55e00e947435fff546

SHA256
ba0984f8d43c79fbf548882171d724d524cd8ab42705f072e2c9909556051f19

SHA512
06938c8914cc5ed9fe231fd34d51118caf29253d03832f28384ce821160d56194da3a3a97946371339e5802438a6423f2c03661a9afe5e1e8298727deae0a514

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5de59c149b15b8aac843891510ed36af\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
804a6bc4fd83a090b25943d715395b41

SHA1
7ee234eab43a126ac98716e070b9b16b37e529af

SHA256
4400afd24bc9036d983a150f43527af2d0bb654b4b9f56aada9f807ebbebad91

SHA512
0663e477160dddf9d0dc88be91548454a089d1cb4a24d9ad086f665a0f52e125da1296f74f33a5c1a2890cd2947df9ea8c0e5d7635e61bc2e297ba68e158948c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\71aa8a61ea7cfa9bcea28cd76ffebaf6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
5c7fe25eb6156533ca7f70b175443229

SHA1
670c6b0d0425fa2e818bca08cb2a021ac30efc65

SHA256
5f3a4f6205929e8ec44816ce1df868045024a416a17a002678597ebb5cf0b599

SHA512
2155dfe628d8d71455bed003fc249bcadab5bb65af31bb992c585b349ee071596b6e60e795e18098cbc5270a55e388df90df651547780bd3db08e423f4704469

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\95e37d89500905056286d1a6a566fe3c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
ac5f2c38c0def1e115744172fdefec39

SHA1
eac6ccd39461e8f9e5ef53e689ed245444f7b25c

SHA256
8eb3df39820fec7a42dd2cf57ec7151bc99b546cb5db943f704af8354e355d73

SHA512
e3da08b531db783243e1f195abb396f3c73b47a141c07ffa3208f78de4a9b6bd1df42688aff6e4bef59cf409f8edfb3af1ab1e1c36c9b2ea26f0f6fc0ba874da

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f2a4fdbb8da8e3e4133fcf27dbb574c7

SHA1
3a824a81c4fc3db0a7cb27113089f29ed65091cd

SHA256
6436ddd1ecd9272d5cb27665d221a451612d39939d5c71075d24104d964fe437

SHA512
a60912fa042baae1f4e0c1553a18a8f030edb385d6733310bc14684d9c27087b37282049bd677f50b292e3c86db2206c1fe94acf0f27f35f33832aa9cb7e3f13

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
7e7cebeccd4c19d7cea8aae6be831413

SHA1
b0829509f8c2dff44d1d5e20fa9fe5c555d9d697

SHA256
7c21f11be204f7bb6972b9487c4114a92046ba52b9833c90b3a7050b2f2e2cfc

SHA512
1a6457405705ac46f7af745e9503174bfe64b60155391842c80a324474dec29195ab85c1ef0d2521a086185ea0a4aadd3dd4ac0d65b56dd0368074339c840dcb

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
33bd2a1aea8ee1a2d68c9ca1293900e6

SHA1
92229a907ac323707d90a02a0d6391cf6c9e27c7

SHA256
18626a13b7ae53f6305e2d5ce8d057cd622fbee700c42b6304f9bed8fa40e816

SHA512
3ed880c6b61a5deac2a39865373aa34e2a8e8f01f56d549ebdbd32df35bcb4092bdb158f95cd8d33b2c1f1d6278e9abae1377b87e2d556726597b9fc1f5c511e

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
7ee5f1c414a1bf010a654e11065fe6d8

SHA1
312f104b071d05a99e10663af13f6ca45c51029d

SHA256
80442cb9d2fffedf9202c2a7af0330d2e1cd6151db3bf331b72983fb593e028c

SHA512
a5c7e09c130f1852f38e645ac7bb4e80dfa96b826f731a64641dee7089493e851809931eb457b5f5301daeb112d862749fe5b70c4fa5605ba0531fcb1bc84cad

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
a885f4e84171dfd554af2e264010420c

SHA1
a007159283abaa783de5cea63e1c8918436ca171

SHA256
5662e10475705ca3150aea8278b205f796bbc53c3c4dfdc07ae8797520b68321

SHA512
0376a57a9e273950ad52bb614d88ee3bf59daafada6ec11c6a5e1441989d638dfc9eb9250574a12f9d5bd4509629d60431f95b512a75da2c050b7fe65b4f663f

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3df4baf9d9f1cea23d4b02fc4e560c03

SHA1
434a7c1e81b22724fe7b3e721251d93984bfde55

SHA256
ae23349cba74cd2e081dbbf292cad1043cbaa7683556d573a83c3e75bdc0815e

SHA512
6b792acf45aadd205b4feec06a54fe6ff9fa5aac1c21ed5e63861a61bcfa2a0a8ed39a99e8331b47c9ba849748310333997cb537737c4c2b3cd561a08f3b8e56

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
1c1e572ffefcd3557ae07d1aba122ad6

SHA1
d2962bddcd35c7cc67fe8a2e2a4281be627f1eff

SHA256
34567c0166d72b5d5cc6a5e7f81c4da60be17f860f14589a0fc6ed6d24be679a

SHA512
dc8b3db9125c9652e8d6d4258432c7de229d060d4a4c7b5a0a076aa5c63e7f80d39e77a45fb852167532783437b0a5331cac43ae054716d9d560486bf187616b

Download Submit
memory/112-653-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/112-770-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/524-114-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/524-127-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/524-123-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/684-570-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/936-270-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/936-295-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/940-737-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/940-872-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/944-459-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/948-5-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/948-45-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/948-0-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/948-7-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1076-647-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1076-759-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1092-236-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1092-273-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1096-835-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1096-688-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1120-90-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1120-46-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1120-53-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1120-51-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1180-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-421-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-409-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-523-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1484-920-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1528-333-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1528-137-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1532-74-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1532-239-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1532-73-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1532-80-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1544-436-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1544-432-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1564-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1588-883-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1588-771-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1608-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1624-748-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1624-625-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1656-36-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1656-35-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1656-28-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1656-223-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1656-163-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1656-33-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1804-328-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1804-345-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1868-666-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1868-773-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1868-789-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/1868-668-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/1944-389-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1956-713-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1956-870-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1964-749-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1964-881-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2064-365-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-378-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-233-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-64-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2128-59-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2172-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2172-156-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2192-391-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2192-410-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2216-545-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-99-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2240-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2240-267-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2240-93-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2260-510-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2260-501-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2296-760-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2296-882-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2308-433-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2432-104-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2432-109-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2432-313-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2432-112-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2460-556-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-871-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2476-716-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2484-699-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2484-869-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2484-445-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-456-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2500-736-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2500-615-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2532-478-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-581-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-482-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2780-359-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2780-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-493-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2872-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2872-121-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2872-13-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2872-21-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2884-374-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-349-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-602-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2932-622-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2972-909-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2972-885-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3068-884-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3068-782-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download