52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
Size

1.3MB
MD5

b946a6b2d9d4e788b463f98a696b52f8
SHA1

233b6bd380abe1e04f7db1a6585f3593a94040db
SHA256

08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477
SHA512

577b31191976840f339ae76492c502614d23a369ad9b0a5db1ec982dc5b17c6724183e13095b6c5647bbb43723fd8cc52a9868200ff06b62ded1a00db8bba3dd
SSDEEP

12288:rXOiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:T4/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
668	alg.exe
2948	aspnet_state.exe
2956	mscorsvw.exe
2796	mscorsvw.exe
2660	mscorsvw.exe
2448	mscorsvw.exe
1512	ehRecvr.exe
760	ehsched.exe
2512	elevation_service.exe
2536	IEEtwCollector.exe
2400	GROOVE.EXE
1464	maintenanceservice.exe
1980	OSE.EXE
1732	mscorsvw.exe
2716	mscorsvw.exe
2804	mscorsvw.exe
2836	mscorsvw.exe
2144	mscorsvw.exe
2868	mscorsvw.exe
536	mscorsvw.exe
2372	mscorsvw.exe
236	mscorsvw.exe
3040	mscorsvw.exe
2120	mscorsvw.exe
1504	mscorsvw.exe
2728	mscorsvw.exe
1188	mscorsvw.exe
2736	mscorsvw.exe
2928	mscorsvw.exe
3044	mscorsvw.exe
3016	mscorsvw.exe
2016	mscorsvw.exe
1712	mscorsvw.exe
2300	mscorsvw.exe
2432	mscorsvw.exe
2992	mscorsvw.exe
776	mscorsvw.exe
1052	mscorsvw.exe
1544	mscorsvw.exe
2156	mscorsvw.exe
2860	mscorsvw.exe
1988	mscorsvw.exe
1788	mscorsvw.exe
1652	mscorsvw.exe
2656	mscorsvw.exe
692	mscorsvw.exe
2288	mscorsvw.exe
2608	mscorsvw.exe
1388	mscorsvw.exe
1884	mscorsvw.exe
2868	mscorsvw.exe
1608	mscorsvw.exe
776	mscorsvw.exe
2652	mscorsvw.exe
3056	mscorsvw.exe
1184	mscorsvw.exe
2316	mscorsvw.exe
1976	mscorsvw.exe
2564	mscorsvw.exe
2016	mscorsvw.exe
2592	mscorsvw.exe
1268	mscorsvw.exe
2424	mscorsvw.exe

Loads dropped DLL 58 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1788	mscorsvw.exe
1788	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
1388	mscorsvw.exe
1388	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
776	mscorsvw.exe
776	mscorsvw.exe
3056	mscorsvw.exe
3056	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2564	mscorsvw.exe
2564	mscorsvw.exe
2592	mscorsvw.exe
2592	mscorsvw.exe
2424	mscorsvw.exe
2424	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
2372	mscorsvw.exe
2372	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
2972	mscorsvw.exe
2972	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
2648	mscorsvw.exe
2648	mscorsvw.exe
464	Process not Found
464	Process not Found
2008	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
752	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File opened for modification	C:\Windows\system32\dllhost.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b5fe6e425f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP362D.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20D9.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23D6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2829.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA489.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP451B.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP96D3.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2564	ehRec.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2580	08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: 33	2192	EhTray.exe
Token: SeIncBasePriorityPrivilege	2192	EhTray.exe
Token: SeDebugPrivilege	2564	ehRec.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: 33	2192	EhTray.exe
Token: SeIncBasePriorityPrivilege	2192	EhTray.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeDebugPrivilege	668	alg.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeDebugPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2660	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2192	EhTray.exe
2192	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2192	EhTray.exe
2192	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1732	2660	mscorsvw.exe	44
PID 2660 wrote to memory of 1732	2660	mscorsvw.exe	44
PID 2660 wrote to memory of 1732	2660	mscorsvw.exe	44
PID 2660 wrote to memory of 1732	2660	mscorsvw.exe	44
PID 2660 wrote to memory of 2716	2660	mscorsvw.exe	45
PID 2660 wrote to memory of 2716	2660	mscorsvw.exe	45
PID 2660 wrote to memory of 2716	2660	mscorsvw.exe	45
PID 2660 wrote to memory of 2716	2660	mscorsvw.exe	45
PID 2660 wrote to memory of 2804	2660	mscorsvw.exe	46
PID 2660 wrote to memory of 2804	2660	mscorsvw.exe	46
PID 2660 wrote to memory of 2804	2660	mscorsvw.exe	46
PID 2660 wrote to memory of 2804	2660	mscorsvw.exe	46
PID 2660 wrote to memory of 2836	2660	mscorsvw.exe	47
PID 2660 wrote to memory of 2836	2660	mscorsvw.exe	47
PID 2660 wrote to memory of 2836	2660	mscorsvw.exe	47
PID 2660 wrote to memory of 2836	2660	mscorsvw.exe	47
PID 2660 wrote to memory of 2144	2660	mscorsvw.exe	48
PID 2660 wrote to memory of 2144	2660	mscorsvw.exe	48
PID 2660 wrote to memory of 2144	2660	mscorsvw.exe	48
PID 2660 wrote to memory of 2144	2660	mscorsvw.exe	48
PID 2660 wrote to memory of 2868	2660	mscorsvw.exe	49
PID 2660 wrote to memory of 2868	2660	mscorsvw.exe	49
PID 2660 wrote to memory of 2868	2660	mscorsvw.exe	49
PID 2660 wrote to memory of 2868	2660	mscorsvw.exe	49
PID 2660 wrote to memory of 536	2660	mscorsvw.exe	50
PID 2660 wrote to memory of 536	2660	mscorsvw.exe	50
PID 2660 wrote to memory of 536	2660	mscorsvw.exe	50
PID 2660 wrote to memory of 536	2660	mscorsvw.exe	50
PID 2660 wrote to memory of 2372	2660	mscorsvw.exe	51
PID 2660 wrote to memory of 2372	2660	mscorsvw.exe	51
PID 2660 wrote to memory of 2372	2660	mscorsvw.exe	51
PID 2660 wrote to memory of 2372	2660	mscorsvw.exe	51
PID 2660 wrote to memory of 236	2660	mscorsvw.exe	52
PID 2660 wrote to memory of 236	2660	mscorsvw.exe	52
PID 2660 wrote to memory of 236	2660	mscorsvw.exe	52
PID 2660 wrote to memory of 236	2660	mscorsvw.exe	52
PID 2660 wrote to memory of 3040	2660	mscorsvw.exe	53
PID 2660 wrote to memory of 3040	2660	mscorsvw.exe	53
PID 2660 wrote to memory of 3040	2660	mscorsvw.exe	53
PID 2660 wrote to memory of 3040	2660	mscorsvw.exe	53
PID 2660 wrote to memory of 2120	2660	mscorsvw.exe	54
PID 2660 wrote to memory of 2120	2660	mscorsvw.exe	54
PID 2660 wrote to memory of 2120	2660	mscorsvw.exe	54
PID 2660 wrote to memory of 2120	2660	mscorsvw.exe	54
PID 2660 wrote to memory of 1504	2660	mscorsvw.exe	55
PID 2660 wrote to memory of 1504	2660	mscorsvw.exe	55
PID 2660 wrote to memory of 1504	2660	mscorsvw.exe	55
PID 2660 wrote to memory of 1504	2660	mscorsvw.exe	55
PID 2660 wrote to memory of 2728	2660	mscorsvw.exe	56
PID 2660 wrote to memory of 2728	2660	mscorsvw.exe	56
PID 2660 wrote to memory of 2728	2660	mscorsvw.exe	56
PID 2660 wrote to memory of 2728	2660	mscorsvw.exe	56
PID 2660 wrote to memory of 1188	2660	mscorsvw.exe	57
PID 2660 wrote to memory of 1188	2660	mscorsvw.exe	57
PID 2660 wrote to memory of 1188	2660	mscorsvw.exe	57
PID 2660 wrote to memory of 1188	2660	mscorsvw.exe	57
PID 2660 wrote to memory of 2736	2660	mscorsvw.exe	58
PID 2660 wrote to memory of 2736	2660	mscorsvw.exe	58
PID 2660 wrote to memory of 2736	2660	mscorsvw.exe	58
PID 2660 wrote to memory of 2736	2660	mscorsvw.exe	58
PID 2660 wrote to memory of 2928	2660	mscorsvw.exe	59
PID 2660 wrote to memory of 2928	2660	mscorsvw.exe	59
PID 2660 wrote to memory of 2928	2660	mscorsvw.exe	59
PID 2660 wrote to memory of 2928	2660	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe
"C:\Users\Admin\AppData\Local\Temp\08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 1d8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 1d8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 258 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 258 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2d4 -NGENProcess 288 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 120 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 258 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2e4 -NGENProcess 2a8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2a8 -NGENProcess 2c8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f4 -NGENProcess 2c8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2c8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 32c -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 344 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 344 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 360 -NGENProcess 354 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 374 -NGENProcess 36c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 354 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 354 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 370 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 354 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 36c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 370 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 354 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 36c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 370 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3ac -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 370 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3ac -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 36c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 370 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 370 -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3e0 -NGENProcess 36c -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3c4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 36c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3c4 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 36c -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3c4 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3c4 -NGENProcess 3f4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 408 -NGENProcess 36c -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 36c -NGENProcess 3fc -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 410 -NGENProcess 3f4 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 418 -NGENProcess 3fc -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 240 -NGENProcess 414 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 414 -NGENProcess 3f4 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 248 -NGENProcess 3fc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 408 -NGENProcess 25c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f8 -NGENProcess 3f4 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 36c -NGENProcess 3fc -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 25c -NGENProcess 3f8 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 41c -NGENProcess dc -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 248 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3f8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess dc -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 248 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1512

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1464

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
PID:2008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1636

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1644

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Modifies data under HKEY_USERS
PID:2820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2288
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:1732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
246487e2b2bf063f0942126e84fb2ded

SHA1
e7370be235d736abfacd6edafe768e57c7128b5c

SHA256
1944bd784050751661bb1f85856f2191916843401695886044019751a2aee1ef

SHA512
88f5e60cde637d01ff5736de6cfee7d149674112e674448c4454832f68d5c01c77683104f8e9d7a0b1d232538b6a0fe1f7a59b123e16de6e1b02aa134721fb87

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
46f536ac5562a44112d3019c6989accc

SHA1
ab8e3d1712438c127dcdce5adc9fe23c44ff8425

SHA256
775f79f2c715fba41e3afc7a43cb625cb166c02a50426aab104525fc56f38187

SHA512
a3a10f9b4a5f8b74fcde16f88e503f0202971e0d1296fea6c534f511588e222dedf5bc8ee68ba6f78d25606eaf362f1f1d880baf2d04661e4c73e2c0a3907509

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
6f6c91e2f92eac1783abaa6c0b5aee54

SHA1
6215b84533da08fcd55ca5e90aab8ed648bff710

SHA256
3c46d625925a813319327277a63f0d0232e03b9e77ee968a4d800a429edb1c75

SHA512
696c937f6fff0bd31e36ae90ef17a7129c5ca3c12c0be33a23295df015123331601af72deae1388c70740e66c0fb4090b24d083db0704d97106ad9a273e970b2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
1c5ea7994e3d6c4675013859854c085b

SHA1
f423eec9d4d8ecb72f4fd740336118da88cc42cc

SHA256
7119cc024117ff08c70f5baa77c95baf461582dfbc4538061ed2aa6cec6835f1

SHA512
de3614038018e577feac266d74c9aefe06ce20c2a91cc464dff984fca4801398146d4a6e06501f49c2291e4aaa6ba72e5844ad25e7397db6a6acb98fa827f276

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
460a659b88b510cfe4c3b53e2e44adc0

SHA1
2837092205b37e88b2e893e8497bee6e240da710

SHA256
e2b2260a2809af9e24d19f0cf4e9ca845e17fac1987ef7cbec4e1accf7efe84a

SHA512
18c0f875811c9798e0cc78b45eaa34345a4d7d36a2609f4435c2043b1e602b8f4e94fe83d7a62b2668eb9f22505d1670b1853eae1a612412614c02d3a7952f8e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c60ef9ec4f0041245bfbb6d3d9b23d47

SHA1
32a0944afc75d0930c841b53e6df8215bfe6dc90

SHA256
db90124b7542c6d10a9706dd86cc40ba94ea9f64bde1f34a4dcfaeedbbee8b40

SHA512
34e794e356215aeafff91a23d879a77c5d4cb6e751fa293f4afb2729c5ddb570c75655c9446ddb4491ffb3edba0932c9bc5d0ce3abc499ef6da8f5b63d3e7171

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c6e198823bfe175c42c079c3acf23eaa

SHA1
9fd58fe6df22f6c3014c338c800a58db1a88a54f

SHA256
415bc0414db2569c318a9ee66be878538055d17c32d1f5d8e1be04d38743090d

SHA512
9c038d60abfe4c577a4d8440857221b48483a3193588a82464641bec5fc1c672f5da38c28ac05e225edeeece5b654cacda50057ddf28957a0ffbf1fc784c8a27

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c6c3455d72f61bf1426425463b55a0a6

SHA1
7feb1ecb6804edab045bfd8926040e02c265b5d7

SHA256
a30f2100fcde6c37f2a8adf9d8cd6f05c28ace6a41c18a4ccf96d026a4ee9059

SHA512
77e9da90f1bb6b55025cf67ded4c0b18e6e542776192f445cd702ba924aaafb01500ad4260e6bf7114486e259be6b7349e007c8b3a4f986d48c9908f844533e8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
18cae51f3cd0f9db1e99a8baf4938ff2

SHA1
e460177d6bfbf7ba7105224c59d2b1301fb6c5cd

SHA256
b47ba9f09d5f20600e65aedfdb6cc6b73679ea95e7c31788a2f46e94b0fc8434

SHA512
f8d52985fbbc007990a0d4f983476941e2b126e67d856dc52722f0eb23157c2192e3f8fd41d3fc1962d10e445e1af990cb1173b41e19cdbf05a5d4c3ad2bc434

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fafe0739c4fa7e2daa1d6779f4509ab1

SHA1
3db1cd129e18992bd6b424fd7a8e408bb28d570f

SHA256
27d8d2849ebcae47ebe9cd681db3d5982ce02e947029bfbdd30ba76e680cee2f

SHA512
d4cae786784038668c3e7d6e4c290af790d97281e9ae8a8f171f74f0406a6c15f6a18aeef994c6dd9b47e41c282e03958078eca38444bb21c8f79caa9d8a2303

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2289a76c83cb2d1b6f8b78a82202203b

SHA1
85e62b3b93055fc38edf71c594fa890fcf28ae32

SHA256
d6d726b0cdf3cac96793132d66009a32ee5cadfd6597509a397356c63c60aa33

SHA512
c4a85a8ca62ae3a471b0d9d5be7ed0a79136498d16b47df046601fe21e3d3a9e8b19af46ebf37bdff8743f1a31f0b375628ad1ddeb4f95e295d4f9b38c71841a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
ec1419e6d13100a73f49f330f243c840

SHA1
f16f0f5226318a7b6ebc7a15d7b97d442aab4c7d

SHA256
3cc84a30e0ea020e2cc574906a850905c4ab921a0337aa1a9a8abf44c7502279

SHA512
e459f88a468559354a75f4e8c11baf9588a6585f13f3db4bdb71d12cd64642c49fcb24753357f3be451e3d709ba041cf31b12187a4d6f807546e9fb6d02803ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b7cc928f146d52367d66c53691c5a046

SHA1
2fdb25fac6dd62de498f5a7f3beddf73e0719e3d

SHA256
a6345027cbe876b4710eb9fc121357662676caebf44baefb175b5aef62204cc6

SHA512
a69edf8948f28ea0438bac93f052b2bbde507db43d9a5a5a2a93b2bf42c424b3ed9bb0027e10bedacee1e62898d1b7c82f7e52a6d75de8b784ec3d447714e9b7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
622ed4023ce2e129d4a28fb04187e727

SHA1
e7b4f7fc2bf68afb45c7db13fc12b3e81cfd2869

SHA256
3daa5e2631f91cdf970ad120ee314283097c81bf40d7d76445fabe6b3dd8a740

SHA512
ab08cdc7ddbce43e8d27190aad999a5bc7bf26fc60f29b585cde2d8144da5f236613da4da2f39f35bb9923f92014bb902d607c57dbfb896c990ca08962e05f7f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
782d183c8b34a151368704bc070bf9eb

SHA1
21f6b96965f9ae2cee0ef998acdd29f14e58bcef

SHA256
dec547c495572b785c5ed3072ad14d531dd619958909d34f042f25033e1e7117

SHA512
286e919cf556d80f4046eefbafe859a027f0833f876e678605c56f40fc59e4cc4a7e7332b59af5f04b8ad7a3882b8908aaf07f89cb575edb213ea45466c1518b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
20e4eeb7490963431bef1299c2b64de5

SHA1
9541b3ddb8cb8b2d48aa9be46c106bd395198dab

SHA256
b819f55acabf94abe710b106fac322f1d9c057f39e096c2631d01b3c90f3e50a

SHA512
ebcf4127d4ef57527741071d5fa615364f95fbb712c776a97fac0260a9a7069d4686a53e0ed4f2b1d8f521508949de53efdab62116e5716c4de0d0f2254604e8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c5f80edfd1807aeb554d24a3e661804e

SHA1
5d3a444ffcd32bb952c13d1134d8f4e186c10e57

SHA256
32a3440f6f45e9d65de23c26167803c2f81ed1a942de96f6a2ea1ccff05284c9

SHA512
85206e45e9dd83234181a2cb221ab149c9caa61d1bd85f0a734b1b0bc848feda6a4dc143ba864fe59b931c5e118954d3463160b9c7fba3066a93a408b1dbbe9e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
746e4975bc3ea9cbf33f38398e086dd0

SHA1
5efc12034542b215842bc25bae83292a40ae4d0b

SHA256
6f53085349f2d8e337bdd65890ffeaa6e611f5d637b9f0b02516b47441df706b

SHA512
d14a5708a2ecee2532155aecdf28b7bf357b7f7877f4e5ada0fdd24353858924eb745ea10adb86736e1b0ccde92561858d8e3977517984b231ea3b7dd510b36d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7904b6687b5439d1ad5e30c139f9f538

SHA1
3fe7d94ea8b66845074da5aa5c3582f462338a7d

SHA256
715694d9982df7e66e3e104274f22ab9b87d074e5a7f0719e39c99c02de7b177

SHA512
91ec0e4eb79fdfc083091394b5a1948d65237c0d43e5893b6cb02b071587bb786212b48f8fa9327c43155ca719f4dc2ce4bcbb399223d03bea46a63145dbac9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
07d95947a82b9f5ffa547b8d90c921a4

SHA1
706d9411d57b6d8f7ea0afaf5ab2210db3feacc6

SHA256
703605caa7c724e65e39ce610bf6967e8c10545751162a40cb445eb1c96caeba

SHA512
cd16f5fd154eb6655b76eb55b43b072b4f7071c84c0320e4528cf5a438f2eb7838edfe6294f69126bf24b1956f301597381bd54a506730ed0edc94d1ed3e7817

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a44f74415da1789f710be95eba46ecf8

SHA1
efe2550a1c6ea65b71b2ec71c3f427254f93465e

SHA256
403faf49802b8ad7184981f8249939f60cba2613c974ade2a970102936b267c2

SHA512
6e430c05776214225fa81e1da06d23db0717cc430a495efc593ef1b233440f0828143e3f6281d3e282bed08032efa130bb69b2cadd9a066b9375872811514b10

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
3edc1aad0455b91baca22d9264522afa

SHA1
7ae61a913faa8ded68e3b7b589edab93c8b74137

SHA256
c30697dfadc70f5a71afe50bdae82a191fa6ae47abf43c6884460d1b40d008a4

SHA512
c2f499764e853e1f1a800d93bda0389e75da6a9b02d2d6664bf4ae953060a9050661ca99b2b109e0becaadc793bc8d69fd187f285abb7d49e0ebd7afd07f781a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f620cb0d38779a9a1bf336d1ecf08bd0

SHA1
6b4afc1d359bb05a0762b23c457078ba57059bd3

SHA256
1b0af35a023fd2c3c35ee4179fa606f5177ed307b750669e2017dc7602945c6f

SHA512
9e4213ed540a5500132f9819e72ced83165bf766667997d01737add11c5de90b8282996f458adba445224c1e56942e023d11035396f4bb72af193b3af655de5c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\866ab9756fda95782c282332a2dede82\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
f3fdc7ea0dceadf875ffc8fecffcff2a

SHA1
fbc4f1acb6cd37fd4201fe08162a945b4e387426

SHA256
9c294639bf122b105044019447715ae4374d9622485b672f92a312afca0327c2

SHA512
ef0888c4b1935bc2b4572dee02b060d99e3de2d415e3693c4d5f7f41ccbbea6659aa3e4349eb2f509449a418e0000adbfc48d131ab320609ff27f738773f59ab

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\996df3d5c887a7c8b3431c1b6aa7fba3\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
b67ea71ba1314a928e7888eaa46af70a

SHA1
542d45a34fb9946c7a67887696925bc6f4cb073e

SHA256
da032203a4f453dc85a066cef3766862bea830c19952a7e2d99120837497fc7e

SHA512
75d961078c063f12599d319d712b57cf36426f5dae4cb60c29a2cb143df82f826d0efe96e2fd413f1582e77c86b003b4a62b7d5b00e958028296958b3d9c7347

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9ff56478adc810b73a24c2be7f649858\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
82fbc08f56377dcc7708e15b8843e9a7

SHA1
cdd2d83f767f91fc758159ae1174a3e69808131d

SHA256
875b1c64a6aa4f8f9e22599284fa58266df4356a9bdb37831d175af3f12f6d77

SHA512
80d5812a05263352f63d5b61738170140e9c2a9b215e61b58fc35ab2474e396aa9607b59f03cf0dd15d1302c5c8b6e3c68cedf81cab50bb4f787970350832d7b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
4f3050cad6d6f29098761f4fc7621826

SHA1
9d43852d70b5baba0452ee655aed329efbc23671

SHA256
ba9f8705f871a2f4f56063f6b653da07f26a5b1bcf2e8882a43cd7a72167ac86

SHA512
5f8a4b9007d33c83336cb4398f40a7f07f8163bb6680d50f154314ae8ac59b3a556e60771f88a6765dcbe5d028940a4001c05a76fdf5edcd6dd143cb712febbc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d20da167b06bef5aa7fdf5b68c2354e2

SHA1
4b3890e0d13a30b60658b87903dc8f56a8f3898e

SHA256
e919becca94fbd51b6d70c5f64398f84046c2a2d7e26a7e708baa6162636839c

SHA512
6edf6074354ea7207c1df6bafc135b8a39df4c11ebe6d3e73acc3f619cd60d146655c92ae683ee84a95105320baab348e0eb141e223e93f5abc47ce1c6923b05

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
e3d9bcb990e4202c89a4f3e265652ccc

SHA1
c1598ee35268116f37d642e76a69b6dd77de9e45

SHA256
315227116e36dbf1b8df50225d4514c5c1ac9e72481ae3d7bba90bfce61b8306

SHA512
3eae772f50940f6a0d581219c3e68d04ae1caf99a61d58f0f856f79e5f8c6a51f73f8517d4821767428c709d3f0a46cfced9f24cf05c75841d4d1df3a8e89483

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
be151bc9e3067bf4e2cecf03e5064298

SHA1
0fc23263f0c82651df405454f9bb4ce094f73397

SHA256
40dda8b4734b53932303aad69e14b6c76facd03345071569e4f2dad53953ac91

SHA512
679650b79309cb250255c091beb309bc4100230e9e515ab9002ee61d8c0b65843cc3c6ac819cd73feeaefdd1b4db8e3b0372bdf7c9c7499de735a75f9c1d5f4c

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
b976105faa089e82ca5fe36e957478d4

SHA1
f136fd7ec5ff16b3db47b47471c0528616795f69

SHA256
57595f7f5aaca578480a17f12a0cff27d44faeca6d18e376f730cfb258336e38

SHA512
9294ee6700c00de91ced480f52d0f8965bc2d435a8c7ab249a7dd523c62dda7c14058ccb5cc06bd1e6f5942e8e7fab916113dc78aa9ecec1c4bc8ecfe5882a81

Download Submit
memory/236-429-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/236-449-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/536-414-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/668-13-0x0000000100000000-0x0000000100148000-memory.dmp

Filesize
1.3MB

Download
memory/668-109-0x0000000100000000-0x0000000100148000-memory.dmp

Filesize
1.3MB

Download
memory/668-23-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/668-14-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/760-643-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/760-302-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/760-99-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/760-105-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/760-104-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/776-635-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/776-622-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1052-638-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1052-624-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1188-508-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1188-492-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1464-155-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1464-162-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1504-483-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1512-651-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1512-95-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1512-96-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1512-90-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1512-283-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1512-92-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1544-693-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1712-567-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1712-574-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1732-285-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1732-301-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1980-164-0x000000002E000000-0x000000002E159000-memory.dmp

Filesize
1.3MB

Download
memory/1980-422-0x000000002E000000-0x000000002E159000-memory.dmp

Filesize
1.3MB

Download
memory/1988-728-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2016-571-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2016-550-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2120-471-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2144-382-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2144-359-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2156-703-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2300-585-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2372-430-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2372-423-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2400-388-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2400-147-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2432-598-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2432-594-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2448-257-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2448-75-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2512-111-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2512-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2512-345-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2512-117-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2536-646-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2536-129-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2536-132-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2580-6-0x00000000004F0000-0x0000000000556000-memory.dmp

Filesize
408KB

Download
memory/2580-8-0x00000000004F0000-0x0000000000556000-memory.dmp

Filesize
408KB

Download
memory/2580-1-0x00000000004F0000-0x0000000000556000-memory.dmp

Filesize
408KB

Download
memory/2580-144-0x0000000010000000-0x0000000010143000-memory.dmp

Filesize
1.3MB

Download
memory/2580-89-0x0000000010000000-0x0000000010143000-memory.dmp

Filesize
1.3MB

Download
memory/2580-0-0x0000000010000000-0x0000000010143000-memory.dmp

Filesize
1.3MB

Download
memory/2660-682-0x0000000000A10000-0x0000000000A3A000-memory.dmp

Filesize
168KB

Download
memory/2660-674-0x0000000001FC0000-0x000000000204C000-memory.dmp

Filesize
560KB

Download
memory/2660-211-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2660-683-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2660-65-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2660-59-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2660-671-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2660-672-0x0000000000A10000-0x0000000000A2E000-memory.dmp

Filesize
120KB

Download
memory/2660-673-0x0000000000A10000-0x0000000000A2A000-memory.dmp

Filesize
104KB

Download
memory/2660-681-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2660-675-0x0000000001FC0000-0x0000000002064000-memory.dmp

Filesize
656KB

Download
memory/2660-676-0x0000000001FC0000-0x000000000215E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-677-0x0000000001FC0000-0x00000000020AC000-memory.dmp

Filesize
944KB

Download
memory/2660-678-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/2660-679-0x0000000001FC0000-0x0000000002048000-memory.dmp

Filesize
544KB

Download
memory/2660-680-0x0000000000A10000-0x0000000000A34000-memory.dmp

Filesize
144KB

Download
memory/2716-319-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2716-303-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-495-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2728-480-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2736-521-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2736-509-0x0000000003CD0000-0x0000000003D8A000-memory.dmp

Filesize
744KB

Download
memory/2796-47-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2796-73-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2804-316-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2804-344-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2836-361-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2836-347-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2860-720-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2868-390-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2868-397-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2928-525-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2928-520-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2948-131-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2948-27-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2956-57-0x0000000010000000-0x0000000010143000-memory.dmp

Filesize
1.3MB

Download
memory/2956-32-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2956-38-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2956-36-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2956-30-0x0000000010000000-0x0000000010143000-memory.dmp

Filesize
1.3MB

Download
memory/2992-608-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3016-545-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3016-557-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3040-448-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3040-460-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3044-537-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3044-531-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download