9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770ca

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Size

1.5MB
MD5

daaa34aa7621215daff4bfd9469393f0
SHA1

95ce11718cc2ae82917b3175ed601804e56d52cd
SHA256

9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770ca
SHA512

8451ddc90d70619db134b46c1d95814be3d0f2573018c3faa4691c4f20b419bad9f8387d3ef173e8f81b085e4c0eb742f672056ae13e1cdb8c39d2b60ee50b3e
SSDEEP

24576:wDpO8P02DQpC/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:H8P0BYLNiXicJFFRGNzj3

Score

7^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
2916	alg.exe
2020	aspnet_state.exe
2480	mscorsvw.exe
2800	mscorsvw.exe
2444	mscorsvw.exe
1040	mscorsvw.exe
1832	ehRecvr.exe
840	ehsched.exe
520	elevation_service.exe
972	IEEtwCollector.exe
856	GROOVE.EXE
1420	maintenanceservice.exe
1656	msdtc.exe
1768	msiexec.exe
1748	mscorsvw.exe
1616	mscorsvw.exe
3060	OSE.EXE
940	perfhost.exe
1692	mscorsvw.exe
1660	locator.exe
2600	snmptrap.exe
1644	vds.exe
2468	vssvc.exe
112	wbengine.exe
2624	WmiApSrv.exe
1128	wmpnetwk.exe
2420	SearchIndexer.exe
1736	mscorsvw.exe
1600	mscorsvw.exe
944	mscorsvw.exe
2324	mscorsvw.exe
2820	mscorsvw.exe
2116	mscorsvw.exe
2252	mscorsvw.exe
2516	mscorsvw.exe
1788	mscorsvw.exe
1564	mscorsvw.exe
2320	mscorsvw.exe
2872	mscorsvw.exe
1508	mscorsvw.exe
2264	mscorsvw.exe
2132	mscorsvw.exe
1564	mscorsvw.exe
1600	mscorsvw.exe
2872	mscorsvw.exe
1508	mscorsvw.exe
2204	mscorsvw.exe
1924	mscorsvw.exe
1468	mscorsvw.exe
1348	mscorsvw.exe
2872	mscorsvw.exe
2608	mscorsvw.exe
2184	mscorsvw.exe
1304	mscorsvw.exe
2912	mscorsvw.exe
2480	mscorsvw.exe
1088	mscorsvw.exe
2612	mscorsvw.exe
2052	mscorsvw.exe
2044	mscorsvw.exe
1348	mscorsvw.exe
912	mscorsvw.exe
2100	mscorsvw.exe

Loads dropped DLL 32 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
1768	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found
1304	mscorsvw.exe
1304	mscorsvw.exe
2480	mscorsvw.exe
2480	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
912	mscorsvw.exe
912	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
2384	mscorsvw.exe
2384	mscorsvw.exe
1924	mscorsvw.exe
1924	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\edc912025f6c6349.bin	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\locator.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\alg.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\vds.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP60D5.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6642.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP63E1.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Tasks\McAfee Cleanup.job	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP68C1.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C91.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5A21.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP56A8.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0187cb3873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0d95bb4873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "jscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32\ = "C:\\Windows\\SysWow64\\vbscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32\ = "vbscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16d51579-a30b-4c8b-a276-0ff4dc41e755}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript9.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16d51579-a30b-4c8b-a276-0ff4dc41e755}\InprocServer32\ = "jscript9.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1004	ehRec.exe
2020	aspnet_state.exe
2020	aspnet_state.exe
2020	aspnet_state.exe
2020	aspnet_state.exe
2020	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2116	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: 33	3008	EhTray.exe
Token: SeIncBasePriorityPrivilege	3008	EhTray.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeDebugPrivilege	1004	ehRec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeSecurityPrivilege	1768	msiexec.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeBackupPrivilege	2468	vssvc.exe
Token: SeRestorePrivilege	2468	vssvc.exe
Token: SeAuditPrivilege	2468	vssvc.exe
Token: SeBackupPrivilege	112	wbengine.exe
Token: SeRestorePrivilege	112	wbengine.exe
Token: SeSecurityPrivilege	112	wbengine.exe
Token: SeTakeOwnershipPrivilege	1788	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Token: SeRestorePrivilege	1788	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Token: 33	3008	EhTray.exe
Token: SeIncBasePriorityPrivilege	3008	EhTray.exe
Token: SeManageVolumePrivilege	2420	SearchIndexer.exe
Token: 33	2420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2420	SearchIndexer.exe
Token: 33	1128	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1128	wmpnetwk.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeDebugPrivilege	2020	aspnet_state.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeDebugPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	1040	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3008	EhTray.exe
3008	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3008	EhTray.exe
3008	EhTray.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2176	SearchProtocolHost.exe
2176	SearchProtocolHost.exe
2176	SearchProtocolHost.exe
2176	SearchProtocolHost.exe
2176	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2532	SearchProtocolHost.exe
2176	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1748	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 1748	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 1748	1040	mscorsvw.exe	47
PID 1040 wrote to memory of 1616	1040	mscorsvw.exe	48
PID 1040 wrote to memory of 1616	1040	mscorsvw.exe	48
PID 1040 wrote to memory of 1616	1040	mscorsvw.exe	48
PID 2444 wrote to memory of 1692	2444	mscorsvw.exe	51
PID 2444 wrote to memory of 1692	2444	mscorsvw.exe	51
PID 2444 wrote to memory of 1692	2444	mscorsvw.exe	51
PID 2444 wrote to memory of 1692	2444	mscorsvw.exe	51
PID 2404 wrote to memory of 1788	2404	taskeng.exe	73
PID 2404 wrote to memory of 1788	2404	taskeng.exe	73
PID 2404 wrote to memory of 1788	2404	taskeng.exe	73
PID 2404 wrote to memory of 1788	2404	taskeng.exe	73
PID 2444 wrote to memory of 1736	2444	mscorsvw.exe	63
PID 2444 wrote to memory of 1736	2444	mscorsvw.exe	63
PID 2444 wrote to memory of 1736	2444	mscorsvw.exe	63
PID 2444 wrote to memory of 1736	2444	mscorsvw.exe	63
PID 2444 wrote to memory of 1600	2444	mscorsvw.exe	82
PID 2444 wrote to memory of 1600	2444	mscorsvw.exe	82
PID 2444 wrote to memory of 1600	2444	mscorsvw.exe	82
PID 2444 wrote to memory of 1600	2444	mscorsvw.exe	82
PID 2420 wrote to memory of 2176	2420	SearchIndexer.exe	64
PID 2420 wrote to memory of 2176	2420	SearchIndexer.exe	64
PID 2420 wrote to memory of 2176	2420	SearchIndexer.exe	64
PID 2420 wrote to memory of 1236	2420	SearchIndexer.exe	66
PID 2420 wrote to memory of 1236	2420	SearchIndexer.exe	66
PID 2420 wrote to memory of 1236	2420	SearchIndexer.exe	66
PID 2444 wrote to memory of 944	2444	mscorsvw.exe	67
PID 2444 wrote to memory of 944	2444	mscorsvw.exe	67
PID 2444 wrote to memory of 944	2444	mscorsvw.exe	67
PID 2444 wrote to memory of 944	2444	mscorsvw.exe	67
PID 2444 wrote to memory of 2324	2444	mscorsvw.exe	68
PID 2444 wrote to memory of 2324	2444	mscorsvw.exe	68
PID 2444 wrote to memory of 2324	2444	mscorsvw.exe	68
PID 2444 wrote to memory of 2324	2444	mscorsvw.exe	68
PID 2444 wrote to memory of 2820	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 2820	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 2820	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 2820	2444	mscorsvw.exe	69
PID 2444 wrote to memory of 2116	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 2116	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 2116	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 2116	2444	mscorsvw.exe	70
PID 2444 wrote to memory of 2252	2444	mscorsvw.exe	71
PID 2444 wrote to memory of 2252	2444	mscorsvw.exe	71
PID 2444 wrote to memory of 2252	2444	mscorsvw.exe	71
PID 2444 wrote to memory of 2252	2444	mscorsvw.exe	71
PID 2444 wrote to memory of 2516	2444	mscorsvw.exe	72
PID 2444 wrote to memory of 2516	2444	mscorsvw.exe	72
PID 2444 wrote to memory of 2516	2444	mscorsvw.exe	72
PID 2444 wrote to memory of 2516	2444	mscorsvw.exe	72
PID 2444 wrote to memory of 1788	2444	mscorsvw.exe	73
PID 2444 wrote to memory of 1788	2444	mscorsvw.exe	73
PID 2444 wrote to memory of 1788	2444	mscorsvw.exe	73
PID 2444 wrote to memory of 1788	2444	mscorsvw.exe	73
PID 2420 wrote to memory of 2532	2420	SearchIndexer.exe	74
PID 2420 wrote to memory of 2532	2420	SearchIndexer.exe	74
PID 2420 wrote to memory of 2532	2420	SearchIndexer.exe	74
PID 2444 wrote to memory of 1564	2444	mscorsvw.exe	81
PID 2444 wrote to memory of 1564	2444	mscorsvw.exe	81
PID 2444 wrote to memory of 1564	2444	mscorsvw.exe	81
PID 2444 wrote to memory of 1564	2444	mscorsvw.exe	81
PID 2444 wrote to memory of 2320	2444	mscorsvw.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
"C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2480

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 24c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1e0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 29c -NGENProcess 28c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 28c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 20c -NGENProcess 1e4 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 244 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 2a0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a8 -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:928

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1832

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:520

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:972

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\taskeng.exe
taskeng.exe {106036DC-2C28-4D63-92FF-55866189B456} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
  C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe -s -uipipe McAfeeCleanupUIMessagePipe7283
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1236
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
75a338c243c2f41e74ff2781d8e0a908

SHA1
a558c1d3faab29953b60b80734f0efa3d02ef3f7

SHA256
65610f939aa44b70ee85bd667c91c601cf028a6368ae7cf7bef79cd55247470c

SHA512
ce7dfb0ccb969f56e55f31b17245c77074bbb379b84df72b91101165d5b9b3ce85017792e893df4dbdb0361bec0d104892db0927ea3b66699df2c5f5022ca473

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
79c6c99939dc9aea2be6da75b1c0f5ed

SHA1
f982fdefb12373ebdc09ab20a38ef39b919b71a0

SHA256
c7a5332ead247993d2c00b94740a50bf69cb2f067d3734f51e1b2cd0f057ff1a

SHA512
f76f7f9b758cf854322d549854eede42eb064ca29a539c7c4bd022d954decce690204d37ee1466e5fbe7e239c8145b40201ca8f0e0509b84d1c318c184fe66c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c4c7e09bb3ed93adca5e414edf2f67f0

SHA1
c735bef3c01b6b4af1bff8f795d58ad4b14da9cd

SHA256
4612bb2f05a50ddcadd3bd0c5941bf0f173efede131b0f45d4a38ca1deec0170

SHA512
1df157956be74dbdfe2b89ec9c66391a537d7ee897ea81e52cc7cd65f2794e18609c59fb4ec8a4feca286df7924c9c1d0c4a74ad3a84b89013a1eaacfb35413a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
847037a7f034b785a6668bc14e641aa8

SHA1
0fd0c0a73a67f4a901ad7f20fb64a27416d943f4

SHA256
4ef6376fbc05565f5a9e247c5f53edca348abb5a7d75b9f10e296bf0babb6978

SHA512
8eda51a601a671db82cb413a507f1d17caabb57ab43a466a21f4e9a5a6042e6306d1cfaee51706583dc92ace7ff3cee4b619a62d0016f39c328cc992ceadf381

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mccleanup.log

Filesize
544B

MD5
c6d5591e4ad1cb01f33551b7dd6b1c5d

SHA1
df2ebbc6c3e9e8d9f4deaaf5e285222aaea6a174

SHA256
dec5da8c3089ae0b93630fc7e914ea205e82d1e4999f618cb7271109b224638c

SHA512
b315e39f5f60fc66a4cd4e3ffcb55e4ab92d2d886873f234fc7ed7a58cd63059782ff7e079f0165d82263defc2b72da74096c1a55ab1e0f19714139aa72f7e5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
928330ee7dcc99ea815e9b653d863c1a

SHA1
89b706995ab4c8dad7b1c1ba89e9eb4af146740a

SHA256
6da97296cca19b2d90e9eed4dc47c2bac1eab9fd1a1e6033c939c999e7859ed1

SHA512
3e85d73bbb5f09c62643cae2d4c33e0996d3ac875ba942e5c0d632f7f2947939e36c8e27b7539d40796bd7dde185501124dacaab1cf19d04f132702dbd058873

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b29cb5f6d6d8e30812979a08c8ba2076

SHA1
79a9177ce93cc95a742d369849baffa3cf47968a

SHA256
8876624474972f802f3a8f81294e14aaca8f8a5115d79f726c20b280c4804800

SHA512
2998407e722299e19088fa604f1705287877e4558b6e85cb01cacd57ec38b67af35f366d7e739bf3aeffc19244fd4852d895f6a27f774c82a305289f3093b2d1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5aed3c248ddaacb743f301979176575d

SHA1
4593a47820cadfac0f95fb534a3d4395c8ffc54a

SHA256
e34a4db1ab4a02ce327ab7ab48bdca2b599dccb8add8f56d7a8851dd890e78db

SHA512
7318d03caca745fb0edb82f85c6e154d08a8a93e4f7ff3862a0227cc6d8cc5234f9fca3528c6b4b22c20c26b414acd050137018aa7b98f19f3125e490bfaa743

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
a4261da96d333faf604901847336563a

SHA1
c6c1689b648247265fd3f4d81e4c11e28662b465

SHA256
62333a70982e5175f5666433697fa0393365e1c611bf9f7d68814d116cd60a79

SHA512
f6c609c4c9794f753e9f1f71f9d725b2d0fbd521d07e5a4d2a1117d121ebc3bda56ab6341111faf59f4a97a3e525c48620470bb7554368408399fac0292d571e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
47ad63b03542dc43bf979db55fe11fdc

SHA1
0d360d2112220c30132dc423af01ae1f672aa9d4

SHA256
ef896148af1967477b57ee8e74fd085b5b52fdcbbc73febcaccb9527efbda5a4

SHA512
82664f2e6c9f55c590842799a1abbffb0c434d22761bbe48d9bce5bd65c19a8207f2e6200fdf2449e2dd63a552d568103e698985680c5f7af93ff65409754bc1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a2e2d4a110edb762ba27a3ce9d9694b4

SHA1
79040ee8948156e14ec6a8c8f83788637fc66939

SHA256
9e23965c939371c7312d7fa7f66d98dbfa1796a43bd3c5bf3e2f743013998f1f

SHA512
33f8fc620e99fe947c2930a1d5f8657d697eced5e38a120f56cc5bd014764b7bc38268ed7533d1036dd89609350dc9020ce99b11ed3e6503a6eb6f86a0fe38f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
70720eebd453e8321182b71dbb3919b8

SHA1
d79cf66a4885e90c6fbd29595c680b3428c55b71

SHA256
ce1f4a66dedfc110d60d5774e9f690a62fcb39f67f7773d5af14725b7d8216ce

SHA512
c665291a17985e633067ae41f6756862002c1c2dc390fe3d59dabe28526a6a91a46a6972d286dac20aba3a5880fa2672d4ea23a61616a94b881fc482fb5e8a61

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6ca2071ca75d2a45b942915701621df9

SHA1
293d2ab043c40c62577343370da0b1871c0457a5

SHA256
60bc791e9105d8f81b56a7e7bea5a3671ebd29cb229db61ecaed22ef6cb0742e

SHA512
e23cd1cc72121d712df2bd1e4d74b81887b79ecdd5fe945023149577e91fce99280ffbfbe8690de9b3d7eb4bdc17d2ad9b70316b56660ca6a1975b3f20683e76

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fc8a4d2f932084ae3daa48f015cf4c0e

SHA1
147a216a0a872f01a9df6c25044a7a9050ffb951

SHA256
ac98b70a6b277e564ad82eaef1a19ed84fbb20c968faf28d01ce9d0aace99169

SHA512
dd0ee547125b3e908be7ce9da7db85fb8f473b2e37446644bb351495b67536e64a7deb1aeb56f063fd0b1b7be1c8d41adda780bffe2b08ef4cb32b796a936f06

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
2a2ba0cb4116ca230964357b4deb6d02

SHA1
cb888236782c43a059560804b39210a0cd4d9b40

SHA256
737bf5d3f3b97c5cd52edf240352c96d21af48e0757509fa57e698de26531a29

SHA512
a2e607cd4535fdc1527d1bf71275d519d65b9474c5762b6a752d298dd8c01d32af8e14f66b1a53644e62c6b5871055708f7913ad221e978debe165e01c2b9cf7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
7a76d029dcd9adb3e3cb77788b97a858

SHA1
38c8e0a8fe1df3909de6377cc5b2d7973c54d60b

SHA256
da8e71a44386c13a9f62eba7dd2847938073fbb9a149f546102ef87f5896fbd4

SHA512
2417aa82eb82271129eadbe438de4a00285c9682c6f2c29611ea3d87abd2d5b29d278a79e8cc9a95d08faabb06a8451a46cafa44f9d12c69e04ce9df3307978c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ba8c906d75abd9dcb0cd4c2a6c66349b

SHA1
63829ad77186d187e3ca0ff489d58fd9b872e984

SHA256
ff00bccf60b7404f4e1075839305bf40783f199bc8de494199eb1164b9a89430

SHA512
1d77ad310a860d44d821bbc6e1cba98f282abc360cc3d1a8ddb34d545976fab25cc803ab92a012d7488bf23b47ea0897b07464393459bbb8fcd6462e5048b5b7

Download Submit
C:\Windows\Tasks\McAfee Cleanup.job

Filesize
400B

MD5
8df883d9d0e28682775c65d088cf860b

SHA1
36d220e9279fe77a11656de96ee0e4cd951de41d

SHA256
ba6005a111977551ae26d09e630b2e0ef2b0b1e965b9fe0338752885d1ee9e99

SHA512
86efcd2d2d38959fcd2f74de4e8dfbe5ecfb9238fa4731a6ee090d8d48d5eaf77d14d7814562fa5564e95b4fc19df916329ec78c47ff2d7dbb082ed9ca81277f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2564104fd0eb81421b74859913c9deec

SHA1
5bf432d2fe2d9d5517fa0178867ce8dc75b45562

SHA256
42ab21bbbdc71e942f90cfb6c51d44c5bde38f7d29c494f3a7af43b67b63cca8

SHA512
77627593e1c43f5a7e17b4d7a1ff3c8cebcb6575a9db45c7af9405c41598cfbe6b0cb1777f88fb5036b489e7b2c6841fe2a117b913279d99c1c5e707f189cf83

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b65db293135e08ac226f22ad66c96597

SHA1
512e5ce315871866a239aaee287770b231ccc168

SHA256
264a4afd38481af62115930b9be0286d8b107faeb94bd377c8fa76e63589a1ab

SHA512
1d242530ff1c56ae183aeafe51983bac4df4e87d6bffa6e5389bedf9017481a1aadd62ed8489eaa0a5ccbbd0caaa809c697d52d237c3ad028459304ec12c2ce8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
3d680653ddc68dadd4c1e8a621be84a0

SHA1
38bee2616f49554ec43f0c1e60d5f84f62a2ab40

SHA256
033fe866f2d4f03a5756cd3d7810a7c14ac24a6055d68e58db20a8877a925e9e

SHA512
c6e1b9ab74bb00dfa7fccddcbdc4853019a716846eb5e03f1b4a913c3495d0e029f622eda9d320fd96eee038668fd53158155f6c7341cda7dae9471c58c1a8f6

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
796e1fa5d574e8461d17ad923d0e7e6f

SHA1
f631badbd3f39bcc13841bf4ab8106de0b849cfc

SHA256
ef708e02b66a47a4d1f68753aa23f6f22106b8d1ca3f3c7eadb4937890944d76

SHA512
bb73b0d6148d42d5ea451d5e31de092c71b227fb714462ae89d3a8de7b79a9b51dc8e834d2c926c9043f0acfedf0c5a5bd9fd54562a1cf04d048b2da27258c35

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
eb7d255d5b9d84ea9ed757387c723dfc

SHA1
6de9f77cc0b81add0810a076a1ddf0dcddf15f4a

SHA256
0df6af7572dd791352ed6f89a56ad3c73dc3dd71dd3963bd540d37021aa7bd2d

SHA512
2a5cec2039c399f03deae1b51d25b26f7c7da488877eeb83b521b526dbb5212d203cc68a8184499f5be304f155e1a72466c80510aab1b7ec4b325e3bde1b9efc

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
82241da8fa1e58ed8f218c18428f6292

SHA1
a8f2359cd22a37048eaea378aa526de5c39b93ec

SHA256
05e84960055562ac514197eb281bf5aacd25bad9b8a2f1d7cd452b505975621c

SHA512
b3b4f4e9fc09ed5ed93e41a3c4e765f3f9bc06f07413321f0d61a9d99fc867949d872c86142e253c3e3afcf1bf36b0a6c0b4ab821a42c7b934cb805e12d01917

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
ae3a7a61fa80747754672831f154d75e

SHA1
834710d912fe3ab7a8fb21777cc7fb026e4cea4e

SHA256
5ea83dd29a9747c5e0135598e5fcfaec0dcb39b1a8357f518081470790da2977

SHA512
2dd2e935a25a997d0d1ff26c53a8e5598593a9c84b22dc3fb9269369640fda6343a379b290a6ce88b85c7a9e114e0b2b6817e5786de99adac51831e82df0c5cd

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
acd4cded4785c3fdc961aeba2ce072d4

SHA1
5a1b8b03142f4a4dc05fe49f4f533f3881dac2e1

SHA256
8fcee5e54ad2a4275d024834f4cd9b0ef4ef3061c3ba7acad63dd00d15509ef2

SHA512
a7b443f2d497483733cc890a8c085392cdc4724107ec6e3b0eade4865f2e40abf090bf45f9dd5e5885c6bc829f6882bbc6efe1d0360c52751c134b89fa5204f9

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cff029a673049a045e814165ed86962b

SHA1
f44d90fe7fd7d9bc8cc5401246c287ae7d3ae5f2

SHA256
3907a2877f71269a2157926a90025a0690b31082e65a24da6afc6e8ff9b81032

SHA512
5b80982e139ced78d8aff7eb7f4acc19fd0c485e2023c34ddd6b0458e65a24b6443bd4f1d31b6c16e7c91efce59b621749a7bd50b41f975df402d0f6a31ec54b

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
df67cc848be2cd6d7f2410dfbf4314df

SHA1
5805de47b5dd2bf32a4ebc32526521a9a4486af6

SHA256
71cf1f38f915faf58bb8b444825c7447aaa0918be71c33824cb84d7f0666d8ea

SHA512
61386983e884771d057bc4c4df19c235f7ebf4de3575999cf03f0d178dc245377080ac8a85a1654d336a079634cbe14309e5a126c570719ee74d742716bba855

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ecd0504229c9d9acaa580316a9ded5b8

SHA1
0f816f49c8c927b697c9fbfacd741cbb230f8c49

SHA256
c502b08390afebe0707b2ba55cddadc328d7aa509606f52dfb63b22b44d8ab9e

SHA512
017319b81b03db8a43382bedbe6fdb23d967d9972e834f7a1af4cc93f3d5fa51e109cfe3873854a227efeffeb84c01faf9bf0d576a562f9d30b5fbf720e29405

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c02e194f30cd4c244cd08a2077720bc8

SHA1
dca40bd4af6ca5cf5831171469cbf0733b90fdc0

SHA256
392b7a4a2a66204b1fb97f45ffe0dcfa3b08dfe7dfa449fa49482f5da2a7c857

SHA512
d1c62dc6f7df80995335cd14e4d3759430ff2e099ff31e0c8c06462ab2c5d1b74849aa84e11aa1cf5a73f2bd924f7ef254ee257c5672b32c12f8fae65854a855

Download Submit
memory/112-253-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/112-412-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/520-114-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/520-117-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/520-183-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/520-108-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/840-175-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/840-104-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/840-778-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/840-100-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/856-125-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/856-130-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/856-143-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/856-198-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/940-261-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/940-221-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/944-484-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/944-495-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/972-540-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/972-192-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/972-122-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1040-62-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1040-70-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1040-68-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1040-159-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1128-275-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1128-483-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1304-956-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/1304-952-0x000000001ACB0000-0x000000001ACBC000-memory.dmp

Filesize
48KB

Download
memory/1304-954-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/1304-957-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/1304-953-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/1304-951-0x0000000001980000-0x000000000198E000-memory.dmp

Filesize
56KB

Download
memory/1420-147-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1420-140-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1420-151-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1600-442-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1600-488-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1616-187-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1616-206-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1644-305-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1644-238-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/1656-209-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1656-148-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1660-229-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1660-278-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1692-262-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1692-222-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1692-416-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1736-427-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1736-418-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1748-190-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1748-166-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1768-210-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1768-160-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1768-162-0x0000000000670000-0x0000000000879000-memory.dmp

Filesize
2.0MB

Download
memory/1768-223-0x0000000000670000-0x0000000000879000-memory.dmp

Filesize
2.0MB

Download
memory/1788-298-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1832-82-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1832-102-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1832-812-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1832-103-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1832-89-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1832-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1832-83-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2020-17-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2020-26-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2020-121-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2020-18-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2116-81-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2116-562-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2116-0-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2116-1-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2116-8-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2116-307-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2184-936-0x0000000001860000-0x000000000186E000-memory.dmp

Filesize
56KB

Download
memory/2184-939-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2184-938-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2184-937-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/2264-664-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/2324-538-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2324-497-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2420-283-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2420-525-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2444-52-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2444-46-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2444-153-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2444-47-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2468-320-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2468-241-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2480-57-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2480-30-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2480-990-0x000000001AA70000-0x000000001AA88000-memory.dmp

Filesize
96KB

Download
memory/2480-991-0x000000001ADE0000-0x000000001ADEE000-memory.dmp

Filesize
56KB

Download
memory/2480-992-0x000000001ADF0000-0x000000001AE06000-memory.dmp

Filesize
88KB

Download
memory/2480-993-0x000000001AE10000-0x000000001AE58000-memory.dmp

Filesize
288KB

Download
memory/2600-232-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2600-282-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2624-260-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2624-443-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2800-77-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2800-39-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2820-535-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2820-551-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2912-976-0x0000000001960000-0x000000000196E000-memory.dmp

Filesize
56KB

Download
memory/2912-975-0x0000000001910000-0x0000000001928000-memory.dmp

Filesize
96KB

Download
memory/2912-977-0x00000000019B0000-0x00000000019CA000-memory.dmp

Filesize
104KB

Download
memory/2912-978-0x00000000019D0000-0x00000000019EE000-memory.dmp

Filesize
120KB

Download
memory/2916-13-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2916-116-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/3060-237-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/3060-199-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download