039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
Size

1.8MB
MD5

06c3b75deae102144ec995312d6d208a
SHA1

9d7386202e4012460553e792beaa4c1820cf7d17
SHA256

039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2
SHA512

75c6b6c541d078e6374f0212929b20a57b0c9e6772f002dfb3d6eb86f7611bec36b115b3932d8b826c06e0183c77f5980ffe0dcbe7067f4208d91dd8aa3ada0f
SSDEEP

49152:SiDHNvsmt3qmLC26/59I+HV7CjfM6ZAMZnWMsKoIyW5hbh9CQEEOUwnZvAks:/HZ/Cd5u+HVh

Score

8^/10

credential_access discovery evasion stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2636	mscorsvw.exe
472	Process not Found
1968	mscorsvw.exe
2844	mscorsvw.exe
588	mscorsvw.exe
2700	elevation_service.exe
2000	IEEtwCollector.exe
2340	mscorsvw.exe
2544	mscorsvw.exe
2368	mscorsvw.exe
1600	mscorsvw.exe
1512	mscorsvw.exe
2112	mscorsvw.exe
3044	mscorsvw.exe
1620	mscorsvw.exe
2784	mscorsvw.exe
1824	mscorsvw.exe
2156	mscorsvw.exe
2260	mscorsvw.exe
2060	mscorsvw.exe
2332	mscorsvw.exe
2588	mscorsvw.exe
2648	mscorsvw.exe
848	mscorsvw.exe
944	mscorsvw.exe
1780	mscorsvw.exe
1412	mscorsvw.exe
1076	mscorsvw.exe
2264	mscorsvw.exe
996	mscorsvw.exe
1208	mscorsvw.exe
684	mscorsvw.exe
976	mscorsvw.exe
1788	mscorsvw.exe
2488	mscorsvw.exe
2392	mscorsvw.exe
2756	mscorsvw.exe
1080	mscorsvw.exe
2168	mscorsvw.exe
2952	mscorsvw.exe
2628	mscorsvw.exe
2624	mscorsvw.exe
2268	mscorsvw.exe
2104	mscorsvw.exe
444	mscorsvw.exe
1988	mscorsvw.exe
1612	mscorsvw.exe
2484	mscorsvw.exe
1620	mscorsvw.exe
2348	mscorsvw.exe
1580	mscorsvw.exe
1588	mscorsvw.exe
2392	mscorsvw.exe
2512	mscorsvw.exe
556	mscorsvw.exe
1796	mscorsvw.exe
2632	mscorsvw.exe
2332	mscorsvw.exe
1904	mscorsvw.exe
2660	mscorsvw.exe
2204	mscorsvw.exe
2884	mscorsvw.exe
2652	mscorsvw.exe
1484	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
3044	mscorsvw.exe
3044	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe
2156	mscorsvw.exe
2156	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
848	mscorsvw.exe
848	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
1076	mscorsvw.exe
1076	mscorsvw.exe
996	mscorsvw.exe
996	mscorsvw.exe
684	mscorsvw.exe
684	mscorsvw.exe
1788	mscorsvw.exe
1788	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
1080	mscorsvw.exe
1080	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
2348	mscorsvw.exe
2348	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
592	mscorsvw.exe
592	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
2240	mscorsvw.exe
2240	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
2988	mscorsvw.exe
2988	mscorsvw.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3290804112-2823094203-3137964600-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3290804112-2823094203-3137964600-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\V:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\H:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\L:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\M:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\Y:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\E:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\W:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\X:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\R:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\T:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\Z:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\N:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\G:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\K:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\J:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\O:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\U:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\I:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\P:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\Q:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\S:	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened (read-only)	\??\J:	mscorsvw.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\dllhost.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\vds.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\ogjlndag.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\dcaqndah.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\bnhnlpin.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\bcmiakfq.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\bicplacn.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\bddbdbfg.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\nipoqmhc.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\aakklllb.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\gnpjdmok.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\himhhokp.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\ilknjhlh.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\windows\system32\wbem\odlpppap.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\cnddabaf.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\program files\windows media player\ejhaefpj.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\program files (x86)\microsoft office\office14\ebbbekbo.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	C:\Program Files\Internet Explorer\agiiaihb.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\ldepdebl.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\fnbbpdpk.tmp	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5DC9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6DD0.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD00C.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP64CB.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP626B.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
Token: SeTakeOwnershipPrivilege	2168	039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeShutdownPrivilege	2844	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe
Token: SeShutdownPrivilege	588	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2340	588	mscorsvw.exe	39
PID 588 wrote to memory of 2340	588	mscorsvw.exe	39
PID 588 wrote to memory of 2340	588	mscorsvw.exe	39
PID 588 wrote to memory of 2544	588	mscorsvw.exe	40
PID 588 wrote to memory of 2544	588	mscorsvw.exe	40
PID 588 wrote to memory of 2544	588	mscorsvw.exe	40
PID 588 wrote to memory of 2368	588	mscorsvw.exe	41
PID 588 wrote to memory of 2368	588	mscorsvw.exe	41
PID 588 wrote to memory of 2368	588	mscorsvw.exe	41
PID 588 wrote to memory of 1600	588	mscorsvw.exe	42
PID 588 wrote to memory of 1600	588	mscorsvw.exe	42
PID 588 wrote to memory of 1600	588	mscorsvw.exe	42
PID 588 wrote to memory of 1512	588	mscorsvw.exe	43
PID 588 wrote to memory of 1512	588	mscorsvw.exe	43
PID 588 wrote to memory of 1512	588	mscorsvw.exe	43
PID 588 wrote to memory of 2112	588	mscorsvw.exe	44
PID 588 wrote to memory of 2112	588	mscorsvw.exe	44
PID 588 wrote to memory of 2112	588	mscorsvw.exe	44
PID 588 wrote to memory of 3044	588	mscorsvw.exe	45
PID 588 wrote to memory of 3044	588	mscorsvw.exe	45
PID 588 wrote to memory of 3044	588	mscorsvw.exe	45
PID 588 wrote to memory of 1620	588	mscorsvw.exe	46
PID 588 wrote to memory of 1620	588	mscorsvw.exe	46
PID 588 wrote to memory of 1620	588	mscorsvw.exe	46
PID 588 wrote to memory of 2784	588	mscorsvw.exe	47
PID 588 wrote to memory of 2784	588	mscorsvw.exe	47
PID 588 wrote to memory of 2784	588	mscorsvw.exe	47
PID 588 wrote to memory of 1824	588	mscorsvw.exe	48
PID 588 wrote to memory of 1824	588	mscorsvw.exe	48
PID 588 wrote to memory of 1824	588	mscorsvw.exe	48
PID 588 wrote to memory of 2156	588	mscorsvw.exe	49
PID 588 wrote to memory of 2156	588	mscorsvw.exe	49
PID 588 wrote to memory of 2156	588	mscorsvw.exe	49
PID 588 wrote to memory of 2260	588	mscorsvw.exe	50
PID 588 wrote to memory of 2260	588	mscorsvw.exe	50
PID 588 wrote to memory of 2260	588	mscorsvw.exe	50
PID 588 wrote to memory of 2060	588	mscorsvw.exe	51
PID 588 wrote to memory of 2060	588	mscorsvw.exe	51
PID 588 wrote to memory of 2060	588	mscorsvw.exe	51
PID 588 wrote to memory of 2332	588	mscorsvw.exe	52
PID 588 wrote to memory of 2332	588	mscorsvw.exe	52
PID 588 wrote to memory of 2332	588	mscorsvw.exe	52
PID 588 wrote to memory of 2588	588	mscorsvw.exe	53
PID 588 wrote to memory of 2588	588	mscorsvw.exe	53
PID 588 wrote to memory of 2588	588	mscorsvw.exe	53
PID 588 wrote to memory of 2648	588	mscorsvw.exe	54
PID 588 wrote to memory of 2648	588	mscorsvw.exe	54
PID 588 wrote to memory of 2648	588	mscorsvw.exe	54
PID 588 wrote to memory of 848	588	mscorsvw.exe	55
PID 588 wrote to memory of 848	588	mscorsvw.exe	55
PID 588 wrote to memory of 848	588	mscorsvw.exe	55
PID 588 wrote to memory of 944	588	mscorsvw.exe	56
PID 588 wrote to memory of 944	588	mscorsvw.exe	56
PID 588 wrote to memory of 944	588	mscorsvw.exe	56
PID 588 wrote to memory of 1780	588	mscorsvw.exe	57
PID 588 wrote to memory of 1780	588	mscorsvw.exe	57
PID 588 wrote to memory of 1780	588	mscorsvw.exe	57
PID 588 wrote to memory of 1412	588	mscorsvw.exe	58
PID 588 wrote to memory of 1412	588	mscorsvw.exe	58
PID 588 wrote to memory of 1412	588	mscorsvw.exe	58
PID 588 wrote to memory of 1076	588	mscorsvw.exe	59
PID 588 wrote to memory of 1076	588	mscorsvw.exe	59
PID 588 wrote to memory of 1076	588	mscorsvw.exe	59
PID 588 wrote to memory of 2264	588	mscorsvw.exe	60

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
"C:\Users\Admin\AppData\Local\Temp\039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2636

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 234 -NGENProcess 240 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 1e8 -NGENProcess 1d0 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 25c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 150 -NGENProcess 264 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 150 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 254 -NGENProcess 264 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1b8 -NGENProcess 264 -Pipe 138 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 278 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 244 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 248 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 278 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 254 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b0 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 248 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b8 -NGENProcess 254 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 254 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c0 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 248 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2cc -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 264 -NGENProcess 2c0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f0 -NGENProcess 264 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 264 -NGENProcess 2ec -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2f8 -NGENProcess 2c4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c0 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 30c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 248 -NGENProcess 2c4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 31c -NGENProcess 2ec -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2c0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2ec -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2c4 -NGENProcess 2ec -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 248 -NGENProcess 2f0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 338 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 31c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 330 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 31c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f0 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 338 -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 354 -NGENProcess 2f0 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 330 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 330 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 338 -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 34c -NGENProcess 364 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 370 -NGENProcess 35c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 344 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 370 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 390 -NGENProcess 374 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 364 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 374 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 374 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 394 -NGENProcess 360 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a4 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b4 -NGENProcess 3a0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b4 -NGENProcess 3a4 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 364 -NGENProcess 3a0 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3c0 -NGENProcess 388 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3a4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 360 -NGENProcess 3a0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 3c4 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3d0 -NGENProcess 364 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c8 -NGENProcess 3c4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d8 -NGENProcess 2b8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3a0 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3c8 -NGENProcess 3dc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 364 -NGENProcess 3c8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3c8 -NGENProcess 3a4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 364 -NGENProcess 3ec -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3e8 -NGENProcess 3dc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3a0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3f4 -NGENProcess 3ec -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 1c4 -NGENProcess 3f0 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3ec -NGENProcess 3f0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3ec -NGENProcess 3f8 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3a0 -NGENProcess 3f0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3fc -NGENProcess 408 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 3ec -NGENProcess 40c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 408 -NGENProcess 23c -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 414 -NGENProcess 3f4 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 40c -NGENProcess 41c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 404 -NGENProcess 3f4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 420 -NGENProcess 414 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 428 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 430 -NGENProcess 41c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 414 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 43c -NGENProcess 428 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 23c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 414 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 428 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 23c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 414 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 414 -NGENProcess 448 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 458 -NGENProcess 23c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
0f937b539be67504857d6cc754f478a3

SHA1
669cbf596ffec2cd75422bde2ac4c333b3f23556

SHA256
60a1ff5224e847ec29ef45401537ae8925ba2c36d5798df69ea718911502975d

SHA512
690fa99eb2a7d2518de1a17f002d5e5dafd10bc953c4e3e094c35a7518d724e3b8a28588d9a4409dca7cb73cb44a85687fa2b1a82a6ad65ca4585bd8187bf69e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
06a91123c0b1090e9eac0d02dfbb21c4

SHA1
1fa2305ace4f054d3e0a8e0315195bddb0f22f59

SHA256
f67a0b9072b63e86f4b0baa0a8ce2a9b4f5641646ac75936840d923b7f34ff3b

SHA512
c8ea7a6f7639b38ffdc6d583affcda495186f224c37393e14942db064adb8d48c8aae1074dbfa06f4414df5b35339328f9c0091896d5df2a8cce581dbb9f8fc5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
161fb760448a5f72eb5b523f3c7461ca

SHA1
bd157fe75a31380ee7e7f643a3c56d77b86c5313

SHA256
9b661bd300d4c4223c59631050e2a8f298f13a1483fb26baca88ea437d743162

SHA512
eef123998987bb3faac5b6eb018699ab34e6e4b9d411c9a01a4841766cb85c561810d0945ab58797e9775be8e2f652b1bf80367e9fb330b5db601d1028e2609d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
4KB

MD5
47c99b7aaea59a90ab329075ab47d6d1

SHA1
745df1462e4af2d8133c6767f6c337e4189b5185

SHA256
13659b110337cdb56665b5b1954e92b9a905dcfcd1c96c2176bf7c0a760e4ac8

SHA512
98907f26eea74d147a52563252c9e8aabeca5271bef57cc5e599a9b04fe18fd67c623292e0981422c3d5245a32b15b2926bd91b61c8cec9c1619ca6cd6cd289c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
f6607a4bea464cf578407a535352a225

SHA1
e58f6e55fa885b634719f2467199467a514355ed

SHA256
b160a64334bd214bece4146389c898bda4492aab6bbb0c7e949efe6065284b8e

SHA512
8bf1694ddfd6d866199ec5e17ecab226f72942d77664cab212d0152713b2d3969990b26cd8b6d33f301642d6d33f9919be21a23b441811080acb8dfffb631b51

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4afe278aba4f6112e21efccdae543bdc

SHA1
99c90f3aacadb0d1d0074ec5a8143a164366c4e9

SHA256
f9154d98c34ea6646e5ec7d84e7962a4126265db6fa62139d034c51f5cfacf31

SHA512
dc00dcbfb1934f2fe5f3ab200abedab914caeaa3b8f7a0724625c53750e9e9f28a82940026103a8b678f59d9d8e7efa4f6267c56e177aba7cc56cea481108ecc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
dae5b0ef3fdc8ae9fd7679a4800d604e

SHA1
300214c7f6a01d2ca1d2c5553ae310e3249f673c

SHA256
f02cb06570dd9e6ba6d3016799e386c658cd0c43697dedbdd42b578a07b6a088

SHA512
0c3e5963155b76e33c4cdc88c98611f08dd39ede7b060ae998050be3e732badf3c19c5626be604821a04e105928850a3436c498d11f52b81b5b830055a5a2ff4

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
666KB

MD5
804241cc880259e44d44c37f20d63725

SHA1
b45980f8047a2562922e5a157271ae760ed565a2

SHA256
76c0cd29c9bfc761c4c6a8fcfdfe5775ac231f57e1c7aee708f3cbbfc08aa4de

SHA512
3c5cb7bf19c757b9b17f5a95ed72f94a51ec6127c4f06b3a97ac4f326403de348ddf1e192c00d7170614a12cc6ab73ecc3c60ec65bbce2c12dea4a2476801397

Download Submit
C:\Windows\Temp\CabBEEC.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarBFF7.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\76b549af81e6f61157e9e4d62310c93d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
11b1180c2fe37f7a65e5298689a3cd7b

SHA1
10e94b646ba9450583731e6d14cd96db7c14261c

SHA256
7bdecdfd47ae51e58b71f99bb032921a009917c847a8bed917d8ea854167200a

SHA512
1c21338a0bbf21f69cd409b816487d20421c4995f3c16c4eeabf7098481275877eedc022b2cd159359cd63fe20e6eb8c314524f63f8b2dbf025672ccdbb1a876

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9f6aa22f0006f171692dd268020237dc\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
c8f9b0dc33d7dde3bd1832a1f873820d

SHA1
26f922126aee9493fd0a4aa8e930ee65c9b54740

SHA256
52cfc3aaff7bdea9bbb730fbd61ab09a026c9acf38663545a4623b596fbf805e

SHA512
d07f1eb7fe2144c6336478e5d51f6620a19d15a09fd99bb0252b92b5601602c06d516fda6410c7ab078eea1c798fa6c461e4b270f034a1576929538d59d7a6f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ddcbce37296c413d8d125b3938f2defa\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
ed5feb1609be3fd75d59c88ea4294151

SHA1
64a067a27b9c818332c0fefe66e0b0492d665877

SHA256
2ed066b06f1d71345fc356276b4146fee7eb655486766fe26dc68ef5bde86200

SHA512
3fadbaa47dfafbbb998e8d05fb1db3960657beba4fdf227ca53cb8db21747de5c149be01d26782f2cef9562e4302bb9c114a39b3f0571d4df732c2ae57e093ac

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e2fbc61ee4836ca67319e07c50f6b85e\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
1df300968beabe04990dca2b164cd8aa

SHA1
ddb399729ab7d27d8c517fc28fc93741c5622949

SHA256
ad54b87709608df4c0b2bc5a5af209f0517aea9e22a05ac203d8d5c437d13a60

SHA512
78c099a57da74bf9507f9c067d59cd292375bee8084d583d24c353e4008e03157aa5ae3d35406a8c9696e212a8bcf67ed35d8bf6e4feb3e8e17760f67ddaeeaf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
aefa682374380ce26f4b1ffc86d54683

SHA1
216d7ca3f665ba2d1fcbe9a944a4a3ba321e034b

SHA256
56ef9b6579b07a0abf50860ffe4dd9bb4cb86caebd296d3578d1fa8ce790bc12

SHA512
d54f8bd9f9b978cdaaaef5d7e70316b298c643d140b00d63275332fdeada8d0dc053fe4f695ce369557354488ae5d15421cba1d2fb1555c82c08620bc1078b72

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
42d533a706599e575fbedfe2d19685b2

SHA1
61019cf6d834424035e83606806f2b9ccbd6e8aa

SHA256
e8f69641aba98ea95d20a5db4f8b804a02acc1ffeba9f629a1232bbe5f66c06d

SHA512
d1be246d2835a7a21c77cf8cd596565a6f0750b506ff930d2eb9704a7aaf0b9c0fe3fd92c1b3e5be4cbb171d71b6c8414dbc7eb44619ff028b7553be09321e77

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
769KB

MD5
f48d636d7b10d6d588aa88fd2832b42e

SHA1
efa94ee598a04a7b081bd4b179b70fae1f8a5915

SHA256
460879524185432d761143ce4c0624cbbdfa62069d08ebbd7059fa207cfbd632

SHA512
9defd2f700b294db8bdf64a97cc071b2108bf5eb837fa6f4f0ed1bc3ba794a698ff62a5c60803017dbc12849b488aa13c179fc70b7076cb2561e75d5a6395751

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
b6b8c76a3e321c0e3ac4b3f933772af2

SHA1
0fb664241b09f573fc19af530c31aeddd4e9e659

SHA256
233e3b12677545c86dca9899fb9cc71c2ff18e431d03897095dd5fbd85726b44

SHA512
149142b4b413dd4b5fb52c16101ca2458fd891da0353b6bfbfa79a44a848a62084ea44286de35ab9398961a0e417cbb428cdac66e3b293f67d5203656de2610e

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
17e152b6d0d8bdcdedeff40148025130

SHA1
b263ee565daa0128330576934bcc9821ab511721

SHA256
54f8dfb0de8e8c253630abf2f8c88cd6aeb51fb3e6bc980ba459e145ff2e4ba0

SHA512
eb9e05469e133a54c6368bbe350bd62cee3d10f9b84a0d88753889a903a9af8a72ac4ed890e2dc393b4ee810dd24ac10afbbda17200cc46e287682568f3a651f

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
13e4d4a31dc6b35b75ee298165658ebe

SHA1
f8e62b70c01062ee39b59da2f2924954a7e75354

SHA256
de60af1ee7a5213e5c0cccb810f8de4b01a3fdc51a6184a4b47f878306a7ab5b

SHA512
591c0834399fc4d5a0d70c081102a24eb4cd75e4a0cea0f2fc6e998c10c25c91a5edc1acf9605b52c47ae651249c072df4b81579303d879b7d6a63ed17d397ae

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
e1ea0325ea9ce762e4e35fb84ef5cb24

SHA1
17f4de26de688458ae6b3892254541709637ec19

SHA256
511a633f08fcb3175c898544bed7cf6b676ac67261c16513746d0c11f1ca33b3

SHA512
a0328b03e7863e23ed3e11c3d9b5bcb761d22f9592b1d06120281f7f17cb7b4e636c264f4c10ce053f44a38dd4a7fb694757251b80012230503d117ac7b5854d

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
30a2b68b5613f448f9c2c3bfcaca8cde

SHA1
c4e3ee45345d00c5ce4583688e5f4e3250594531

SHA256
e8bb3bdf244a2e79339b33babab5fb49b95c437012b9820543ae04d27e7bf6f1

SHA512
72c3aabb04900b27a9d5b5a715cfeb7b6c30c2370118baecadd6e504327d9aebc9c87d134e2327fdb58c86ba652f4153682275d6d4689b36c6b885f7fbddba1d

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
7c39faf5aaae6ca906323e5e40cc2aa2

SHA1
9652c1c21d55da2c5edf47f9f42364a6bb717da8

SHA256
ce460e0fb5bb58ac1564f841ec8f21ca46a10cb432af8599c2ab36c554a99f7e

SHA512
a85436de1592f634bae71523961af8bfcc335a734ee42a5658b441658d690a6e6e77ab259cf7d944b9991ce58501ae7bcccbd26358d424797cb0314008d251fc

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
a1cdd69653897c2c3d5eca0fba7763b3

SHA1
a66d1e57777cb8f9e457d59bdec862eb69bc5d09

SHA256
debe59f337f0b04d3b50ff7117ec0c3584980669941aa1370091a68eeeb9150b

SHA512
b04309bd3fd3169f96b774a308b9df08e7d6fc7b8d7b65004aed5f553150f9e4220803bf663ae122ab6c2e3a446d1284e66db46100b670cc023590dea78919bd

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
679KB

MD5
b2e52c2a7e787d3a5c945008231d83ae

SHA1
704d864dcf0ea048808407d7b6222dd17c2f178b

SHA256
1042ce50ba535ce49f67acc482b44faf04266e4e2cbbe963ea5048cdf01c78ac

SHA512
eb13936fb63dc6b6c4ac605d95fa45f96f7f0624307c894cb29423f43d42ae1ea4281fcaeabfd84670d3aadc2c29ff1b17e4d2738976b200ab0942b90f38cc89

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
23038b3b398640714ef2b06281ec3f29

SHA1
2a5c2feddec0cf1990f564b4bd127f194a3c81d2

SHA256
5e0d54fe28caa8d1a706582ec02467adb2cf5a2024f8d8f26227f0e4a8b616ae

SHA512
f90db334154fce50252dbba82c302cb5e982673a6ca204661fe1764be4a20675cf85456c3b137a9140a4dd528d2add5fb9cd546334dbcca8b66330a14dfc6734

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
06c9dc3592661f80b5ed571369b618d1

SHA1
5940bcb2483e06fb4a43dc0e157a78cb2522ff84

SHA256
5e50aa344c684ba2560c9827dcbd79b1a06163ead30efaa09f3bb22874e684dc

SHA512
52e2784a6459753d28e35ca5b0d55af1dc1dd4068659d38e00453afec41e9721a24cb04a285dbb4054341f706ba1f4bf4dc9b29ed83eabfea2f1318cf5466da7

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
e271f020ab49b1ce94d969b8d3a01fd6

SHA1
531eddb7b77ff900a0acff6150bd51a2481f5ee6

SHA256
a5f82488e70985ddb735f3f63314203474eb3777ae82ae3c870f3dd395625a07

SHA512
783b2dc570341bf626d6bb1daae30960c35068ff6ce0e3f7d627fd2f7d85b70fb6b2ad0c27b5a3617c8956c10c49730d51e2aed5653d825a07cfb91242c92e74

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
bdfc9355d70aeb2dcb506d5ac031e9a7

SHA1
ac5c5290367748f0185e9956a0aa9226c593ba5b

SHA256
9a61dcd286432f7f4ea33a836f5f153c74ce30cbae2aa962538fa8947ab820fd

SHA512
e65f5d065d7ee5fbfb2c4a72072fa99be2e1447c47fde778148f5184582b56be7ea87330d3a12d0a3b48154224f8fc9d8ddab8b024abd398a76cdf481e02761d

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
b2cb8be72cd7fa1f3690d3abb3de47b2

SHA1
64bad9679af98e57f2ef12d6c6012f6273bb89bd

SHA256
1c8bc4da69b2135e20833ea415b02d51fcfbc00b0c05ec39e89033e5f871e1e9

SHA512
98f3ab10099d2289c795eedc09deae24cbd3dc15f1e79683ea2e4806187aec7017a9c42312a2984c832760e82140e2902eaba20015e4069c4df6b7c6a5349887

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
892a173a92dd07c09150c7d158830490

SHA1
ac547ea96a016e697bb2dac9d6ae8d35f9f80deb

SHA256
d2f529b78f0a282a4d95ef9c465048db9ebd878fbb7d21f66472de92f81f623d

SHA512
10a2198ea544ba2e4e392a0ad5e175aba2b20b0a27be33a77202747f3663c739943ae1fa3134f65745816913ed453d55b70343c30f7b7cd0c42456792b679e13

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
27eafb9b1121d092a9e73e7d3c89ade4

SHA1
a3388393da62f985e9bbaeb9c72eda3da2f630c9

SHA256
f914dd9327eb35a0e29a5e42a5664f055fd7c88ff35ac51f38fb3d15c9c9922b

SHA512
f2471905a7a3dc09e4d8d6d07216bfbd1a0449065a37a02a53afaebb4e6462c1e85bad5271412ed22573bfc4543b662b56fe181ee6b6cb7981ce5521d7ab9e53

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5739ca33b4b783da20ae97c08d0ed80b

SHA1
2cd298a2679b5a1640da911182c55c2ffd9c6f63

SHA256
7beb0f551f822fc55af1c5f96d598447be0471528f099471087da54b9bd00a57

SHA512
653cd08434a8f2a7719b36bdfd23e0c1254ecdf27d36aa7dbc8c174b7a3b97bba1fd9505fc3d4d785bb83e26f42533d989dc510e0e576493b2b9e8499d577f00

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
636KB

MD5
c9fae5dbc0bfa8c0a99e7916e7ee8837

SHA1
a9d8a3e933b8126a9c1bc026c6d9bb38bd5c4750

SHA256
a13e599078a8a578ed93ff5b088c794955b7c88c1a62ebc7ad6136ff3c8ab874

SHA512
e07dd3e84ee9b213cec046f4fa5cb7d2b9bb87fc63745ad7acab98fdb8607af484e1721834c39627651d176fd199ad1c60e4f11e04290bec4e1acec69fbf7775

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
e057dbf2f99771cf6fda534528a39e4d

SHA1
e1589e62cc1c9c6c4cc19e7c17af947963b58e4b

SHA256
c67bcdcf1c73de23981a75684b9189fc019c18b8fcf8ab1a7b396cfe4311f306

SHA512
21a2703b3adbb938c566753e1b00a9b3446a2c471224b4a82c42606a55c8cf3b8f2e9e5c9d1a1f5990fb85504c4187c9c6034ec6e7a412bbb80fe4114ce46d93

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4412.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP471E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A88.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4D65.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4FB6.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
memory/588-191-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/588-97-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1512-240-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1512-243-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1600-241-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1620-271-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/1620-278-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1620-275-0x0000000003050000-0x000000000306E000-memory.dmp

Filesize
120KB

Download
memory/1620-269-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1620-274-0x0000000000870000-0x000000000088A000-memory.dmp

Filesize
104KB

Download
memory/1620-273-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/1824-304-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/1824-305-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/1824-307-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/1824-308-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/1824-309-0x00000000031D0000-0x00000000031DE000-memory.dmp

Filesize
56KB

Download
memory/1824-311-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1824-306-0x0000000002F90000-0x0000000002FD8000-memory.dmp

Filesize
288KB

Download
memory/1824-303-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/1968-70-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/1968-69-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/1968-115-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/2000-217-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/2000-232-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/2000-129-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/2112-247-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/2112-246-0x00000000030E0000-0x0000000003128000-memory.dmp

Filesize
288KB

Download
memory/2112-250-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2112-245-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2112-244-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2156-324-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2156-319-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/2156-332-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2156-313-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/2156-314-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2156-315-0x00000000008C0000-0x00000000008CE000-memory.dmp

Filesize
56KB

Download
memory/2156-316-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/2156-317-0x00000000031A0000-0x00000000031E8000-memory.dmp

Filesize
288KB

Download
memory/2156-318-0x0000000000A00000-0x0000000000A1A000-memory.dmp

Filesize
104KB

Download
memory/2156-323-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2168-0-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-6-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-14-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-37-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-38-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-39-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-40-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-41-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-57-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-1-0x0000000140031000-0x0000000140032000-memory.dmp

Filesize
4KB

Download
memory/2168-5-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-4-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-229-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-3-0x00000000029B0000-0x00000000029F8000-memory.dmp

Filesize
288KB

Download
memory/2168-2-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-13-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-7-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-11-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2168-12-0x0000000140000000-0x000000014032E000-memory.dmp

Filesize
3.2MB

Download
memory/2260-335-0x000000001C520000-0x000000001C52E000-memory.dmp

Filesize
56KB

Download
memory/2260-334-0x00000000030A0000-0x00000000030B6000-memory.dmp

Filesize
88KB

Download
memory/2260-336-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/2260-333-0x0000000003040000-0x000000000304C000-memory.dmp

Filesize
48KB

Download
memory/2340-192-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2340-219-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2368-236-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2368-238-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2544-218-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2544-220-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2636-58-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2636-56-0x0000000010000000-0x00000000101CD000-memory.dmp

Filesize
1.8MB

Download
memory/2636-92-0x0000000010000000-0x00000000101CD000-memory.dmp

Filesize
1.8MB

Download
memory/2700-122-0x0000000140000000-0x0000000140391000-memory.dmp

Filesize
3.6MB

Download
memory/2784-283-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/2784-284-0x00000000008A0000-0x00000000008E8000-memory.dmp

Filesize
288KB

Download
memory/2784-277-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2784-285-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/2784-302-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2784-282-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2784-281-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2784-280-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/2784-293-0x0000000003210000-0x0000000003228000-memory.dmp

Filesize
96KB

Download
memory/2784-294-0x0000000003210000-0x0000000003228000-memory.dmp

Filesize
96KB

Download
memory/2784-286-0x00000000008F0000-0x000000000090E000-memory.dmp

Filesize
120KB

Download
memory/2844-196-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2844-187-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2844-82-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2844-90-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3044-255-0x0000000003160000-0x0000000003176000-memory.dmp

Filesize
88KB

Download
memory/3044-252-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/3044-249-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/3044-270-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/3044-254-0x0000000003110000-0x0000000003158000-memory.dmp

Filesize
288KB

Download
memory/3044-253-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/3044-259-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/3044-260-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download