76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
131s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Size

1.3MB
MD5

ad0a9b000501c5fefbf4339122a8c819
SHA1

0ee681e181cba463d7d0567885312df82cd906e5
SHA256

57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20
SHA512

eaa348696ed72eede5b91b61a9120f31887901c6806a530f4157a2370065f1ec4fc87c0f57552806b0042fbc21d36dab31642e1dcfb876a1c05909941cb54d1b
SSDEEP

12288:+cFUPnBfJ4yb+QdIKYKNCJKHZDgdVw8XkLavV2Q9yW+GGYT7S/:+cFUPBfJ4yL/tNCJPXUQrPc

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2868	alg.exe
2960	aspnet_state.exe
2764	mscorsvw.exe
2812	mscorsvw.exe
1640	mscorsvw.exe
2096	mscorsvw.exe
2076	ehRecvr.exe
2308	ehsched.exe
1816	elevation_service.exe
2368	IEEtwCollector.exe
932	GROOVE.EXE
952	maintenanceservice.exe
2408	msdtc.exe
884	msiexec.exe
2240	OSE.EXE
2756	perfhost.exe
2736	locator.exe
2740	snmptrap.exe
2860	vds.exe
752	vssvc.exe
1892	wbengine.exe
2288	WmiApSrv.exe
2064	wmpnetwk.exe
2824	SearchIndexer.exe
1680	mscorsvw.exe
1112	mscorsvw.exe
2848	mscorsvw.exe
2644	mscorsvw.exe
2652	mscorsvw.exe
1680	mscorsvw.exe
1676	mscorsvw.exe
956	mscorsvw.exe
1704	mscorsvw.exe
1312	mscorsvw.exe
2172	mscorsvw.exe
1148	mscorsvw.exe
1680	mscorsvw.exe
1288	mscorsvw.exe
1696	mscorsvw.exe
1356	mscorsvw.exe
2396	mscorsvw.exe
2668	mscorsvw.exe
2964	mscorsvw.exe
2452	mscorsvw.exe
1364	mscorsvw.exe
1704	mscorsvw.exe
2516	mscorsvw.exe
2836	mscorsvw.exe
2220	mscorsvw.exe
2228	mscorsvw.exe
2492	mscorsvw.exe
1656	mscorsvw.exe
788	mscorsvw.exe
1916	mscorsvw.exe
2828	mscorsvw.exe
2100	mscorsvw.exe
2652	mscorsvw.exe
1136	mscorsvw.exe
676	mscorsvw.exe
936	mscorsvw.exe
2564	mscorsvw.exe
2260	mscorsvw.exe
3048	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
884	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
768	Process not Found
1916	mscorsvw.exe
1916	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
1136	mscorsvw.exe
1136	mscorsvw.exe
936	mscorsvw.exe
936	mscorsvw.exe
2260	mscorsvw.exe
2260	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
876	mscorsvw.exe
876	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
1004	mscorsvw.exe
1004	mscorsvw.exe
1712	mscorsvw.exe
1712	mscorsvw.exe
236	mscorsvw.exe
236	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
108	mscorsvw.exe
108	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
2368	mscorsvw.exe
2368	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
1904	mscorsvw.exe
1904	mscorsvw.exe
2940	mscorsvw.exe
2940	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\msiexec.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\dllhost.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\vssvc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8b9f5cb75f6c6349.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\System32\vds.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\wbengine.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7FE9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7465.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F0D.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA0C2.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7DF6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7253.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP82C7.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85B3.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1824	ehRec.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2960	aspnet_state.exe
2960	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: 33	2496	EhTray.exe
Token: SeIncBasePriorityPrivilege	2496	EhTray.exe
Token: SeDebugPrivilege	1824	ehRec.exe
Token: 33	2496	EhTray.exe
Token: SeIncBasePriorityPrivilege	2496	EhTray.exe
Token: SeRestorePrivilege	884	msiexec.exe
Token: SeTakeOwnershipPrivilege	884	msiexec.exe
Token: SeSecurityPrivilege	884	msiexec.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeBackupPrivilege	752	vssvc.exe
Token: SeRestorePrivilege	752	vssvc.exe
Token: SeAuditPrivilege	752	vssvc.exe
Token: SeBackupPrivilege	1892	wbengine.exe
Token: SeRestorePrivilege	1892	wbengine.exe
Token: SeSecurityPrivilege	1892	wbengine.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeManageVolumePrivilege	2824	SearchIndexer.exe
Token: 33	2824	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2824	SearchIndexer.exe
Token: 33	2064	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2064	wmpnetwk.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeDebugPrivilege	2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	2124	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeDebugPrivilege	2960	aspnet_state.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe
Token: SeShutdownPrivilege	1640	mscorsvw.exe
Token: SeShutdownPrivilege	2096	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2496	EhTray.exe
2496	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2496	EhTray.exe
2496	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe
1468	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1112	1640	mscorsvw.exe	57
PID 1640 wrote to memory of 1112	1640	mscorsvw.exe	57
PID 1640 wrote to memory of 1112	1640	mscorsvw.exe	57
PID 1640 wrote to memory of 1112	1640	mscorsvw.exe	57
PID 1640 wrote to memory of 2848	1640	mscorsvw.exe	58
PID 1640 wrote to memory of 2848	1640	mscorsvw.exe	58
PID 1640 wrote to memory of 2848	1640	mscorsvw.exe	58
PID 1640 wrote to memory of 2848	1640	mscorsvw.exe	58
PID 1640 wrote to memory of 2644	1640	mscorsvw.exe	59
PID 1640 wrote to memory of 2644	1640	mscorsvw.exe	59
PID 1640 wrote to memory of 2644	1640	mscorsvw.exe	59
PID 1640 wrote to memory of 2644	1640	mscorsvw.exe	59
PID 1640 wrote to memory of 2652	1640	mscorsvw.exe	81
PID 1640 wrote to memory of 2652	1640	mscorsvw.exe	81
PID 1640 wrote to memory of 2652	1640	mscorsvw.exe	81
PID 1640 wrote to memory of 2652	1640	mscorsvw.exe	81
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1676	1640	mscorsvw.exe	62
PID 1640 wrote to memory of 1676	1640	mscorsvw.exe	62
PID 1640 wrote to memory of 1676	1640	mscorsvw.exe	62
PID 1640 wrote to memory of 1676	1640	mscorsvw.exe	62
PID 1640 wrote to memory of 956	1640	mscorsvw.exe	63
PID 1640 wrote to memory of 956	1640	mscorsvw.exe	63
PID 1640 wrote to memory of 956	1640	mscorsvw.exe	63
PID 1640 wrote to memory of 956	1640	mscorsvw.exe	63
PID 1640 wrote to memory of 1704	1640	mscorsvw.exe	64
PID 1640 wrote to memory of 1704	1640	mscorsvw.exe	64
PID 1640 wrote to memory of 1704	1640	mscorsvw.exe	64
PID 1640 wrote to memory of 1704	1640	mscorsvw.exe	64
PID 1640 wrote to memory of 1312	1640	mscorsvw.exe	65
PID 1640 wrote to memory of 1312	1640	mscorsvw.exe	65
PID 1640 wrote to memory of 1312	1640	mscorsvw.exe	65
PID 1640 wrote to memory of 1312	1640	mscorsvw.exe	65
PID 1640 wrote to memory of 2172	1640	mscorsvw.exe	66
PID 1640 wrote to memory of 2172	1640	mscorsvw.exe	66
PID 1640 wrote to memory of 2172	1640	mscorsvw.exe	66
PID 1640 wrote to memory of 2172	1640	mscorsvw.exe	66
PID 1640 wrote to memory of 1148	1640	mscorsvw.exe	67
PID 1640 wrote to memory of 1148	1640	mscorsvw.exe	67
PID 1640 wrote to memory of 1148	1640	mscorsvw.exe	67
PID 1640 wrote to memory of 1148	1640	mscorsvw.exe	67
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1680	1640	mscorsvw.exe	61
PID 1640 wrote to memory of 1288	1640	mscorsvw.exe	69
PID 1640 wrote to memory of 1288	1640	mscorsvw.exe	69
PID 1640 wrote to memory of 1288	1640	mscorsvw.exe	69
PID 1640 wrote to memory of 1288	1640	mscorsvw.exe	69
PID 1640 wrote to memory of 1696	1640	mscorsvw.exe	70
PID 1640 wrote to memory of 1696	1640	mscorsvw.exe	70
PID 1640 wrote to memory of 1696	1640	mscorsvw.exe	70
PID 1640 wrote to memory of 1696	1640	mscorsvw.exe	70
PID 1640 wrote to memory of 1356	1640	mscorsvw.exe	71
PID 1640 wrote to memory of 1356	1640	mscorsvw.exe	71
PID 1640 wrote to memory of 1356	1640	mscorsvw.exe	71
PID 1640 wrote to memory of 1356	1640	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
"C:\Users\Admin\AppData\Local\Temp\57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 254 -NGENProcess 1d8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 254 -NGENProcess 240 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 27c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 298 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 258 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a0 -NGENProcess 298 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 25c -NGENProcess 240 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a4 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 2a4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 1fc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 1ec -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 27c -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1c8 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 220 -NGENProcess 1d4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 268 -NGENProcess 278 -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 1fc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 1d4 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 11c -NGENProcess 270 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2a4 -NGENProcess 248 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 248 -NGENProcess 1fc -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1fc -NGENProcess 11c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 11c -NGENProcess 220 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 258 -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a4 -NGENProcess 1fc -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b8 -NGENProcess 220 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 258 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 220 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 25c -NGENProcess 220 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2bc -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1fc -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 2cc -NGENProcess 2bc -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 1fc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 1fc -NGENProcess 2cc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 2cc -NGENProcess 2d0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 1fc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d8 -NGENProcess 1fc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1fc -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d8 -NGENProcess 300 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 2f0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f0 -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2fc -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 334 -NGENProcess 324 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 320 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 32c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2fc -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2fc -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 33c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 34c -NGENProcess 338 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 354 -NGENProcess 320 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 310 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 33c -NGENProcess 320 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 320 -NGENProcess 32c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 338 -NGENProcess 35c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 338 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2fc -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 364 -NGENProcess 370 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 358 -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 374 -NGENProcess 2fc -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 374 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 374 -NGENProcess 378 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 384 -NGENProcess 358 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 378 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 374 -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 384 -NGENProcess 378 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 378 -NGENProcess 38c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3a8 -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 378 -NGENProcess 3b0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 398 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b8 -NGENProcess 390 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 390 -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3c4 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 378 -NGENProcess 358 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3c0 -NGENProcess 3c8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d0 -NGENProcess 398 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 358 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 358 -NGENProcess 378 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 390 -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3e0 -NGENProcess 3d0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 358 -NGENProcess 3e8 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3c8 -NGENProcess 3d0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3ec -NGENProcess 3e0 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e8 -NGENProcess 358 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3e4 -NGENProcess 390 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f0 -NGENProcess 3fc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e0 -NGENProcess 390 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3e0 -NGENProcess 3f0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3f0 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3c8 -NGENProcess 1c4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 1c4 -NGENProcess 3e0 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 3e0 -NGENProcess 3f0 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3f0 -NGENProcess 3fc -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3ec -NGENProcess 420 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f8 -NGENProcess 3c8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 428 -NGENProcess 420 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 3ec -NGENProcess 3f0 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 410 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 410 -NGENProcess 3f8 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 434 -NGENProcess 428 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 428 -NGENProcess 3f0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 43c -NGENProcess 3f8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 438 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3f0 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 3f0 -NGENProcess 43c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 44c -NGENProcess 438 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2824
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
c43b506f569cc55e662c66c17b4e80c2

SHA1
55883d2debdf21ef91582c7e2063d77d0ab51734

SHA256
caf50291972f20f86843a0444b25a818838365949ccfa6295a28535860165ff9

SHA512
a46730c214d58043e54f702c9aa0dbd0c0ff61351089b8e7ce717bda1641d1522b0abcb3346f8d1a2638da18d5754ff3b8b5214beb8ca88076a02ff23da7e2b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
4b0d36a2af6a697620f204e59f8b248d

SHA1
d03e63eb1c209680c4653c6cfb6ba68dd74f6427

SHA256
5b62ef50b5ec197e0280529a05857da8cdbe0bd1d23180c09b2a09d27734fd1d

SHA512
5ed79b81fa5eaa9e16d55e073327d7e126ab18576c443aed107d142e69886def2c485e54fafa6a5727d47e96911bfca0b4c84a734ec7b824953395f57dbfae6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0235b0004c0dcca5c00035d7107c8abb

SHA1
d5f4c411e4f6ab6153ab7d8b517a947d47b59728

SHA256
f36c41141dca7e5510cb9a451a67f9a9a983a78f9b1c1b6f19d0caefae0f8e01

SHA512
cb8bff57ba55c7689957341c8252def9cd5dc04b09cdbdaeeb641ad98b845c96d9f7beaf724c206b7bc78c06c97385560fc74053ad4fb35f97c8ffe58b1f4424

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6ddde79cec6f029f110abc62e3ca3ba7

SHA1
4b667a45d80cb835acf15892fe3ff743df2bc8e2

SHA256
6cd83f73a736ea86ba8cac7c39d929c32774a03ee32427eb411905d6862f6ea7

SHA512
4c867c11ef961200b9b45d5216e6ed3a3e81fa5c2e3ac7e1278d69ab2a2ef7c6409b4896983b937d871a9d5e6c7dc112d93c077d13e334f987a53463714429cd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bc2330c1a97a02ce73f8ed54bd233cb4

SHA1
66744083bffba63cf62e7876f891bcbee9d61d26

SHA256
5e5ba0fdc3c2a7c9c9935f0299c3d99a084b1e037045773545a3a624754d36a1

SHA512
e72f369bee6ccc7f4036d7dc63d69801577773682c7f6495be8ba46a89adead7355aa4be03cf6c72fdfd3b05b4200f6791fbf4209ba3dce7638156fdd02c7210

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
7019ab50576f9fe0700b817b1e024ed1

SHA1
8a4e4a53b137eac614cde661469bde2ac44e45de

SHA256
442454ce2fb61caf8669ae7ce438bc533a258425b2738d7beeab7dd48c1eff0a

SHA512
7a3d9f331d30c78a5911c0d618d5e7dddce6cce1ada70082bcd1fc60ed6ec90f0a31092d611c8eab0bf973e28085cb69e85ad3959e4425feb61839eaccfe4cee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7ef1167a65e48315cf17821451f358e1

SHA1
5453e981d12406723f54c626a84bc1651ff9e91c

SHA256
369682dd2f78304fb3e6e5c915c204aa585f59b7ede463dbdcffdf8eb58d22a8

SHA512
ea2af9c0e14c8ec4a0421a94caaff934aa1f912fb2621f24bf2cc921ec92fa760529bfb97bf6c75f2a1b3f6456a72861f7a61a6ab7d1b3bc9a22202ff582b0f9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c10100f24a53ce485418f49181108aad

SHA1
620fd8986f984d4f47f16d8ccdc46b64177a2f1e

SHA256
2bfd1d1b9bc9096e6ae4780b2094ae4a7d2f6db53796ad32bcbddde0c346a45b

SHA512
6082a228e07849ffa02b09990a035ba2d5eeb7d24b2f5ddcb53669809b8702f16f47f8500637aa1e5c3913d1d1acccd1d7d61452dcf38cec4547b16244d9f179

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bfa8b525d65adf33f116c24ff4cf071c

SHA1
dd77f77bee14dd36480bc8c07998e60c83b3557f

SHA256
4befbb5bf2672ce3638394c2e9439132e2edd351b38448ba56dc5871c781472c

SHA512
0e83830d6a87fa1472bce6e4688a70f75de694cff7c8abac63485de98f0643db773e1c0913689a281486b8eb13dceae40361821124b7fc5ec493ed1fc2b879e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
4add2e8a63bddd6402182f41b994f0e0

SHA1
4e61f31593c1ad99d6c6bb403b5cbd9b5467c812

SHA256
8dc7842a08c045c697aacfabc62e932a65d9c7a71c178ae0012b2dbcdfdac7bb

SHA512
be0211a42deb688468bdf97d142677bf2f271ea40cbed8d81c9b9c0673fb0ddc6f3d6575cd3d22394930781f68f70f31c6720a7d8d24bc0627cf58fc652e4b6c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
d4cc27c0b6cc8c92c892193b1245886c

SHA1
ce7bc26928b442df3c97f75a9ff909b09f8254a7

SHA256
aa7d7e0e5ca1778320623853a2977c823545d95a1a7663abfef29b47f6e10fb8

SHA512
38281e7963d58340dd6f6957dff0fff0987c79077937e106ba1c9ce024ec341c5470f227b6618a8818a91bb328865859b26ec8455e5a3498e1257de5d7e0caad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0436108d7766f5f9e3700fc72ef14a2c

SHA1
ae70f38441e8ade8497414f2a05ea0ee6727098d

SHA256
9fc8b1b225cbf07b5e2ede80893370585138dbd0727b3a73462f8c0d0fad27f0

SHA512
07c2d5a4a9bebe5e57518eb53b33e6f78e374606206b1404a2f966379316b96d004893a16ccb3a37dc15a50c70c3d39b1342267251531230d029c0a30fbc4d39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
162259b0583e6b1b2e3ab617978e66e0

SHA1
6fd44d1bc99227f5e0e6440e94583c60981da064

SHA256
f08d6add4e8a2c1fa6a717e254aa00aaa83888d58b8695d81181a50cce1cf224

SHA512
9d839e01e7a9114fe88c948bc2877a94c7e9419390c3e9c46e4629d342ee8df99e3e125b363a768667f5dee71dbb71a0a017ed4fd53e072956553c6fe4f0c6a2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ecdbb82b6e5d1edb148b80d687e2c77b

SHA1
633f223e07cf75b644fa8e08e8a7825503f29fd6

SHA256
91815b23f1683bd8dde8588e38e56cc11679d7d410e4f18951005ca9bbe4a18f

SHA512
f6dea1f6a51e5b12759e5cfe484a6101231af0c4db7dd0b61564c2fb57754f53ec6e635ad5b0074877978ef21150dd496373c3f88750dc581949cc8a0bf6bb91

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5142c4590cd87bd97068799af7ce2e07

SHA1
f4b15e8bfd1297036aad407edd2b6a74ce8cb1ce

SHA256
d52cb6a3e9b68a14a083a0705027aa5d646dc3072829549b23610e95916d61ec

SHA512
1f2129a34e52f5aedfc824db66aaf3a04ab7566774d2c545a912ef85b7102faced9b8bdbcc0d3e69e5024929dde5d245d9e582086b6bc8bb5c3c878f5fed6d15

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
e917de9a294eacf3ad9408e0f4cd26af

SHA1
16cc6d5367d337504286dfa9b37350b02b372dae

SHA256
70bb2a1a872aedacd67d160050f85c0528581c4ddfbdda69197fbad4d22cb162

SHA512
bfb4c617c5e4bb2883f276194792825d7a52f8dd3789b1c595d7c5526b34c7c74c1ca6a190e5236e4a883fb2be213f17f959c91da81afbc373eb54c6901b34e0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
81dc09575ee1fb2c3179dfb912730aa7

SHA1
3aa79607b05021d1fe9a733d05277be341ee20ba

SHA256
5771f9b28032f11840703cf144e25bf806f89656fb75582e8149bab792690e66

SHA512
799c97df8b2445c6e85b330d2b39a8ab50322b31851b5ce98df7e5155d09eb413ba35562c2752275041b7d2d9ea63ef4a50cec5f0ba5bec6cf6a75b12cd84325

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
77c2bcf0c28d098b2e01279b55eeca0a

SHA1
d471cb4d7e1662455b441bbb659aa88d3248316c

SHA256
cfdaf1b739b4e2e14da058aee1b62d2040fc44e00a1d4feef5ce025faa6b2e07

SHA512
5c9a153ad6e406370b5e96020cbf63acf6129316761fb4a94285fc5d21a25633bc58e73637b8535a0051cb22ab0ebc186192865371daa151b9ecdd259b9d08d4

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
326fc7929cf93704d4a3bbd57dc224e3

SHA1
35c010303cfcae1c43ac827d3c60e394cda42cbf

SHA256
2e4499804884672de7d9ebf6e808a475047c178cc88922cdde24b67cc535e41d

SHA512
294145e78d39c5d445db45b1ddc2f84fd801dcd14d55b77365cb873bb96a9dd3a60312328b6f75172d4d7ec5ebf3aade0c91fc616b96c111b33bf35079020ee6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
866c99157e86eca902dc76681b0f3387

SHA1
2350a2ccb4e3114d6c83b523f959358b13ea9eff

SHA256
f74eee3b67f977761edac9c38eece696c552a25b2fbf22b35f12606f3b6cdea0

SHA512
7702d3e9fc4766ab8623b864f990efeb606a1eac079b126163ad76dbbefca0dd7622dc0ec1a434789118497e026603b5b417741fa468a14521db59f08a392b45

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
9f469716b4d1c217aaf0142925a9c10b

SHA1
8f59fc8450cef69541f525a4f2d70feb200f3302

SHA256
9ec09f2d94786acff60e018c18bee882e61ffceac7b2c52d849f5ed0b850c4af

SHA512
cfe95f903dbbea2a48a7853ca7cde25c614add0a11d8b52c19bc339e78c580818974b8a47c0bad22e7a135541a4f93efd4df8511e0ec63b25697b2cd0de0e5fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6dec6380f65b3e5bfed7a28ad840f55f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
499f686d5b6f99e62e7b4749307f6010

SHA1
42dfefbc442b1f8d42e9f8a59f53f199704993a4

SHA256
ba40f9d480948baf4c22583691106e4ad20eec5d670b2c31be1f5c8b5447924c

SHA512
331a8e3fee43d94e671e713db3ff7d505793bcb0bfd58ab64a651dc7a9fbb517ae6d06a3e0e1c1d1b44cbba2151aa844f6d0cd4bb7e43bdffaf3b2ea78d3f9a8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a02ea5fbff6405eb645696ac59403eb7\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
3f8e24ebccb8944666c26195c08a3cc2

SHA1
658fc7ea57fd49b455bae5069c0c9e8ab2243ec2

SHA256
b144480aac2a4221712f8952ca6a1b1dfa8081538c96c1f770f5ee6e68f368b4

SHA512
790d6089ca0b71de4b6d74ca8e91c5506dcb8827b1aac68d9849a7aa6fc34e9f3fbb62b101b2ab0a7d898960a04c6bc106db3a0c17f8fe0ce0b143bb9ed4b04d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a3e62a29807944a418928c2c96ffa660\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad6db1b5253efb254455b9b19be30671

SHA1
59a080db27cd4dc1cecc35e4e4ac393bbdab3e36

SHA256
25493e5f12360ab1981ad0bebeb8089b082caf6853b207dc2d2cd161213b01df

SHA512
71dc8302b2a888e2252685e83c42ec41be53021f8b81cada112b3a6740ad6bfef04af22a2863f472d0ce66a1c883d8b00c069ff6cfc107ce3d568308d148119c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
260a4ca74000d57e9a5820c540994297

SHA1
88a716fb4b05aff6e4d9ca6fc268b2269a7f6501

SHA256
4cc1eb7d54ab7d67a6ab2be25f277e04cf251668b415ac19a5f3a652aac21a57

SHA512
51be6ccaa274e20543f3a4eab743e1d691ce0d8fd778a75f07010af817dd935933759cc7933d743d33acf09b0140a5ebdf73e1ba9473778fe2ff16e2a7ee75c8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
a8a840bb68a437ca80cad741e13cf446

SHA1
b2758f085416bff52a26bee3e51d89167622a059

SHA256
da57526a93670092007d95009c4007950172a9b75f067579339ea3c13c3c717f

SHA512
5f4ef2a5d2040c0c1a87beba3bde9cf463099536c92a92d7516f5bbe1a73ef9c626da8fe7f80627c3e69601e0578aa70ff83ae5e5c062feda075774784e134d3

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
abc13cfc29108cd9fea0967e75eeeb87

SHA1
7e0d4f9952819d261be9abfcff20d2469fd6c5c8

SHA256
b5767c87e9a81c9adc3ae8e4acc04e0bcd60197686502918a408066bbe0586d3

SHA512
f5b03852b718a0dac5657ee763dcad765a7e8374f238573ee038b0caec0daed50e889a4f882d79a6ebd2b639fe71ab0ba99277b44b55cb4b7d01d6ec1d03efad

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3370abbb8afabd3fd529ed795d27ce06

SHA1
c70c01ed99d31ec23d27381175db473db70dd4d1

SHA256
ad2eab6993a64e2d47a932f539f765f9c9212af0d0f62795e3807d8555a4e59a

SHA512
d0da01ea59dd4a01af70033679dbb17f978c1a9d87c7957cabd8feb4689540f0608192bbce4938de82b625a0dd7270d774a52372aebd5b031601797b8e191ca0

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
736be61096232773b08c76333f8338c0

SHA1
3cedb67ea2c4e82d7a13a339e0d30e642e9cdd1c

SHA256
e5094b4da30442d94c7df20d2dbcfeb2a58e5500f45be50155ada2e3eb1edae2

SHA512
4fe3cc0fc15c09501211ddc6e81e3da496f613f66355bff1ee315ceef6b6c6933c80762f4ecd55529dbb84b9d81910e33826aa4d1f0999cf211415a133130415

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
fa33359dd553c496d35859ea59704e89

SHA1
8c9e497d9dc24750925d148aaf68899a627aecef

SHA256
27dc0e6bfb9f9a3ed1663a2b514ba3dd056b39d5a0bf648fba1ccacb20ea2739

SHA512
1cd90a533659c7c75e5ffc26a5f66569bce3c8d2979b84ac7dd915c97b6b7b85b22f5f5d75ce14d0d8952048c58157b5f1a6f519351cc31bc785a3bedb40475f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
3bc021d3d0098d0b6d8eb13293f95727

SHA1
e56f0a83497f454f3855a1f1a805d63baa31f0ea

SHA256
17c76dd078de22907ac547c1221b0359e6b9b930785f6a3ec1966461b6d58171

SHA512
4ab407055dc8b3b88b0e3de2b83d6f55c24552f051c4144b621dd5b7870d5d1627e642a0d00fc28cdcf0edef2bb1844e3613fb25115fb9520b0eeb26b68deb13

Download Submit
memory/752-236-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/752-446-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/884-260-0x0000000000640000-0x0000000000831000-memory.dmp

Filesize
1.9MB

Download
memory/884-186-0x0000000000640000-0x0000000000831000-memory.dmp

Filesize
1.9MB

Download
memory/884-245-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/884-182-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/932-228-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/932-153-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/952-164-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/952-168-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/956-487-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/956-507-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1112-389-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1112-371-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1312-518-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1312-537-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1640-886-0x0000000001FD0000-0x0000000001FEE000-memory.dmp

Filesize
120KB

Download
memory/1640-68-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1640-890-0x0000000001FD0000-0x000000000216E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-889-0x0000000001FD0000-0x0000000002074000-memory.dmp

Filesize
656KB

Download
memory/1640-888-0x0000000001FD0000-0x000000000205C000-memory.dmp

Filesize
560KB

Download
memory/1640-897-0x0000000001FD0000-0x0000000002036000-memory.dmp

Filesize
408KB

Download
memory/1640-887-0x0000000001FD0000-0x0000000001FEA000-memory.dmp

Filesize
104KB

Download
memory/1640-885-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/1640-892-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

Filesize
64KB

Download
memory/1640-184-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1640-896-0x0000000001FD0000-0x0000000001FFA000-memory.dmp

Filesize
168KB

Download
memory/1640-74-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1640-69-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1640-895-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/1640-894-0x0000000001FD0000-0x0000000001FF4000-memory.dmp

Filesize
144KB

Download
memory/1640-893-0x0000000001FD0000-0x0000000002058000-memory.dmp

Filesize
544KB

Download
memory/1640-891-0x0000000001FD0000-0x00000000020BC000-memory.dmp

Filesize
944KB

Download
memory/1676-485-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1676-467-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1680-376-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1680-471-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1680-347-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1680-447-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1696-595-0x0000000003DB0000-0x0000000003E6A000-memory.dmp

Filesize
744KB

Download
memory/1704-503-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1704-521-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1816-130-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1816-217-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1892-237-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2064-500-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2064-254-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2076-112-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2076-113-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/2076-865-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2076-102-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2076-103-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2076-109-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/2076-199-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2096-93-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2096-91-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2096-194-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2096-85-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2124-8-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2124-0-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2124-6-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2124-84-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2124-1-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2172-549-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2172-533-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2240-340-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2240-197-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2288-486-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/2288-241-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/2308-753-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2308-116-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2308-211-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2308-125-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2368-142-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2368-789-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2408-240-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2408-172-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2644-429-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2644-411-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2652-426-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2652-449-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2736-213-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2740-218-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2756-207-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2756-370-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2764-62-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2764-30-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2764-41-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2764-31-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2812-54-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2812-78-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2812-53-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2812-47-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2824-517-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2824-269-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2848-391-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2848-415-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2860-425-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2860-220-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2868-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2868-124-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2960-26-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2960-18-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2960-17-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2960-129-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download