52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
138s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Size

1.2MB
MD5

71b625de639825efa82e6e30d5e23bcc
SHA1

5f9605a7535173a804faf070f7a4de15dab9f50a
SHA256

7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90
SHA512

13f3089f3c9e490711d87d792769cdd862ec0cdc8888248df33628482ad381f61a150d4338ebd928fa204221cff242e985689b945fc3c41ddd90d4556ccab835
SSDEEP

12288:2iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:A/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2752	alg.exe
2884	aspnet_state.exe
2404	mscorsvw.exe
2608	mscorsvw.exe
1648	mscorsvw.exe
2964	mscorsvw.exe
1160	ehRecvr.exe
940	ehsched.exe
2292	elevation_service.exe
2004	IEEtwCollector.exe
316	GROOVE.EXE
2112	maintenanceservice.exe
2056	msdtc.exe
1716	msiexec.exe
1308	OSE.EXE
1608	perfhost.exe
2988	locator.exe
2888	snmptrap.exe
2664	vds.exe
1652	mscorsvw.exe
2608	vssvc.exe
1912	wbengine.exe
1936	WmiApSrv.exe
1508	mscorsvw.exe
948	wmpnetwk.exe
2068	mscorsvw.exe
1720	SearchIndexer.exe
2236	mscorsvw.exe
2284	mscorsvw.exe
2676	mscorsvw.exe
2304	mscorsvw.exe
1508	mscorsvw.exe
2528	mscorsvw.exe
3144	mscorsvw.exe
3264	mscorsvw.exe
3380	mscorsvw.exe
3508	mscorsvw.exe
3608	mscorsvw.exe
3704	mscorsvw.exe
3800	mscorsvw.exe
3908	mscorsvw.exe
4032	mscorsvw.exe
2656	mscorsvw.exe
3208	mscorsvw.exe
3324	mscorsvw.exe
3392	mscorsvw.exe
3436	mscorsvw.exe
3632	mscorsvw.exe
3772	mscorsvw.exe
3884	mscorsvw.exe
2068	mscorsvw.exe
4052	mscorsvw.exe
4072	mscorsvw.exe
3908	mscorsvw.exe
1576	mscorsvw.exe
2416	mscorsvw.exe
3108	mscorsvw.exe
3288	mscorsvw.exe
3356	mscorsvw.exe
3144	mscorsvw.exe
1512	mscorsvw.exe
3456	mscorsvw.exe
3448	mscorsvw.exe

Loads dropped DLL 58 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1716	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
752	Process not Found
3908	mscorsvw.exe
3908	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
3288	mscorsvw.exe
3288	mscorsvw.exe
3144	mscorsvw.exe
3144	mscorsvw.exe
3456	mscorsvw.exe
3456	mscorsvw.exe
3660	mscorsvw.exe
3660	mscorsvw.exe
1124	mscorsvw.exe
1124	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
1504	mscorsvw.exe
1504	mscorsvw.exe
3132	mscorsvw.exe
3132	mscorsvw.exe
3288	mscorsvw.exe
3288	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
2040	mscorsvw.exe
2040	mscorsvw.exe
3944	mscorsvw.exe
3944	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
2528	mscorsvw.exe
2528	mscorsvw.exe
3412	mscorsvw.exe
3412	mscorsvw.exe
3300	mscorsvw.exe
3300	mscorsvw.exe
3452	mscorsvw.exe
3452	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
3728	mscorsvw.exe
3728	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc9106de5f6c6349.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\vds.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\alg.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3DAC.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC1E8.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF805.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCB7A.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA48.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBDA4.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a036351c7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
956	ehRec.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2884	aspnet_state.exe
2884	aspnet_state.exe
2884	aspnet_state.exe
2884	aspnet_state.exe
2884	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: 33	1132	EhTray.exe
Token: SeIncBasePriorityPrivilege	1132	EhTray.exe
Token: SeDebugPrivilege	956	ehRec.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeRestorePrivilege	1716	msiexec.exe
Token: SeTakeOwnershipPrivilege	1716	msiexec.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeSecurityPrivilege	1716	msiexec.exe
Token: 33	1132	EhTray.exe
Token: SeIncBasePriorityPrivilege	1132	EhTray.exe
Token: SeBackupPrivilege	2608	vssvc.exe
Token: SeRestorePrivilege	2608	vssvc.exe
Token: SeAuditPrivilege	2608	vssvc.exe
Token: SeBackupPrivilege	1912	wbengine.exe
Token: SeRestorePrivilege	1912	wbengine.exe
Token: SeSecurityPrivilege	1912	wbengine.exe
Token: 33	948	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	948	wmpnetwk.exe
Token: SeManageVolumePrivilege	1720	SearchIndexer.exe
Token: 33	1720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1720	SearchIndexer.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeDebugPrivilege	3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	3056	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeDebugPrivilege	2884	aspnet_state.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe
Token: SeShutdownPrivilege	1648	mscorsvw.exe
Token: SeShutdownPrivilege	2964	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1132	EhTray.exe
1132	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1132	EhTray.exe
1132	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2956	SearchProtocolHost.exe
2956	SearchProtocolHost.exe
2956	SearchProtocolHost.exe
2956	SearchProtocolHost.exe
2956	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1652	1648	mscorsvw.exe	51
PID 1648 wrote to memory of 1652	1648	mscorsvw.exe	51
PID 1648 wrote to memory of 1652	1648	mscorsvw.exe	51
PID 1648 wrote to memory of 1652	1648	mscorsvw.exe	51
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 2068	1648	mscorsvw.exe	57
PID 1648 wrote to memory of 2068	1648	mscorsvw.exe	57
PID 1648 wrote to memory of 2068	1648	mscorsvw.exe	57
PID 1648 wrote to memory of 2068	1648	mscorsvw.exe	57
PID 1648 wrote to memory of 2236	1648	mscorsvw.exe	59
PID 1648 wrote to memory of 2236	1648	mscorsvw.exe	59
PID 1648 wrote to memory of 2236	1648	mscorsvw.exe	59
PID 1648 wrote to memory of 2236	1648	mscorsvw.exe	59
PID 1648 wrote to memory of 2284	1648	mscorsvw.exe	60
PID 1648 wrote to memory of 2284	1648	mscorsvw.exe	60
PID 1648 wrote to memory of 2284	1648	mscorsvw.exe	60
PID 1648 wrote to memory of 2284	1648	mscorsvw.exe	60
PID 1720 wrote to memory of 2956	1720	SearchIndexer.exe	61
PID 1720 wrote to memory of 2956	1720	SearchIndexer.exe	61
PID 1720 wrote to memory of 2956	1720	SearchIndexer.exe	61
PID 1720 wrote to memory of 296	1720	SearchIndexer.exe	62
PID 1720 wrote to memory of 296	1720	SearchIndexer.exe	62
PID 1720 wrote to memory of 296	1720	SearchIndexer.exe	62
PID 1648 wrote to memory of 2676	1648	mscorsvw.exe	63
PID 1648 wrote to memory of 2676	1648	mscorsvw.exe	63
PID 1648 wrote to memory of 2676	1648	mscorsvw.exe	63
PID 1648 wrote to memory of 2676	1648	mscorsvw.exe	63
PID 1648 wrote to memory of 2304	1648	mscorsvw.exe	64
PID 1648 wrote to memory of 2304	1648	mscorsvw.exe	64
PID 1648 wrote to memory of 2304	1648	mscorsvw.exe	64
PID 1648 wrote to memory of 2304	1648	mscorsvw.exe	64
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 1508	1648	mscorsvw.exe	65
PID 1648 wrote to memory of 2528	1648	mscorsvw.exe	66
PID 1648 wrote to memory of 2528	1648	mscorsvw.exe	66
PID 1648 wrote to memory of 2528	1648	mscorsvw.exe	66
PID 1648 wrote to memory of 2528	1648	mscorsvw.exe	66
PID 1648 wrote to memory of 3144	1648	mscorsvw.exe	67
PID 1648 wrote to memory of 3144	1648	mscorsvw.exe	67
PID 1648 wrote to memory of 3144	1648	mscorsvw.exe	67
PID 1648 wrote to memory of 3144	1648	mscorsvw.exe	67
PID 1648 wrote to memory of 3264	1648	mscorsvw.exe	68
PID 1648 wrote to memory of 3264	1648	mscorsvw.exe	68
PID 1648 wrote to memory of 3264	1648	mscorsvw.exe	68
PID 1648 wrote to memory of 3264	1648	mscorsvw.exe	68
PID 1648 wrote to memory of 3380	1648	mscorsvw.exe	69
PID 1648 wrote to memory of 3380	1648	mscorsvw.exe	69
PID 1648 wrote to memory of 3380	1648	mscorsvw.exe	69
PID 1648 wrote to memory of 3380	1648	mscorsvw.exe	69
PID 1648 wrote to memory of 3508	1648	mscorsvw.exe	70
PID 1648 wrote to memory of 3508	1648	mscorsvw.exe	70
PID 1648 wrote to memory of 3508	1648	mscorsvw.exe	70
PID 1648 wrote to memory of 3508	1648	mscorsvw.exe	70
PID 1648 wrote to memory of 3608	1648	mscorsvw.exe	71
PID 1648 wrote to memory of 3608	1648	mscorsvw.exe	71
PID 1648 wrote to memory of 3608	1648	mscorsvw.exe	71
PID 1648 wrote to memory of 3608	1648	mscorsvw.exe	71
PID 1648 wrote to memory of 3704	1648	mscorsvw.exe	72
PID 1648 wrote to memory of 3704	1648	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
"C:\Users\Admin\AppData\Local\Temp\7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2404

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 240 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 234 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 24c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 264 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 254 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 298 -NGENProcess 28c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 234 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 248 -NGENProcess 250 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 240 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 248 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 244 -NGENProcess 11c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 214 -NGENProcess 1d0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 1d0 -NGENProcess 1c4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 254 -NGENProcess 11c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 11c -NGENProcess 214 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2a4 -NGENProcess 1c4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1c4 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 274 -NGENProcess 214 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 214 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 294 -NGENProcess 254 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 254 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 290 -NGENProcess 294 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 234 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:3968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b0 -NGENProcess 274 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 290 -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 274 -NGENProcess 2b4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c8 -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d0 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2a4 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 234 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2c0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c0 -NGENProcess 2fc -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2fc -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:3288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2c0 -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 320 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 314 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 300 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 32c -NGENProcess 320 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 304 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 334 -NGENProcess 324 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 320 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 304 -NGENProcess 340 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c0 -NGENProcess 320 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 344 -NGENProcess 338 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 320 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 340 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 320 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:3132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 338 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 340 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:3192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 340 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 34c -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 36c -NGENProcess 35c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 354 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 34c -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 358 -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 37c -NGENProcess 370 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 370 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 384 -NGENProcess 354 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 340 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 340 -NGENProcess 358 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 34c -NGENProcess 38c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:4032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 394 -NGENProcess 384 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 358 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 38c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 384 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 384 -NGENProcess 398 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a8 -NGENProcess 38c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3a0 -NGENProcess 3b0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 38c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 354 -NGENProcess 38c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 38c -NGENProcess 3a8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a8 -NGENProcess 3b4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c4 -NGENProcess 3ac -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 398 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:4068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b4 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3ac -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:4080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3ac -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 398 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3e8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3cc -NGENProcess 398 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:3148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3ec -NGENProcess 3e0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 398 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:3580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:3340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3f4 -NGENProcess 404 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f0 -NGENProcess 3e8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 408 -NGENProcess 3fc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 404 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 404 -NGENProcess 3f0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 414 -NGENProcess 3fc -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:3796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3fc -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 41c -NGENProcess 3f0 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 418 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 418 -NGENProcess 414 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 404 -NGENProcess 424 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 42c -NGENProcess 41c -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 41c -NGENProcess 418 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 434 -NGENProcess 424 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 424 -NGENProcess 42c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 420 -NGENProcess 440 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 404 -NGENProcess 42c -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 444 -NGENProcess 424 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 424 -NGENProcess 420 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 44c -NGENProcess 42c -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 424 -NGENProcess 448 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 43c -NGENProcess 450 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 458 -NGENProcess 42c -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:4028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 42c -NGENProcess 424 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 424 -NGENProcess 42c -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:4036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3772

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d987dcf1e1b4f5a7ccfddd557d225335

SHA1
528e32baca57b7440103dee8538948e2d30267b7

SHA256
382c6255af51fe02eb72dc5bc87838a92f1146791d396b9d62a48837b4f34bc3

SHA512
08e6b480f1489a1ed0a9aa5d011fbd0ecd74e06d8efdc9a28dc9c02daba5c944f2f3121a6ba858493afead804261a7a9082832642bcc400a2bac9412b139116c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6eed5624fc278f9fada0c150471818c8

SHA1
ed09ee0712b5b787a883e4b220e6ba2f1420a666

SHA256
591844e99189696e4506040550915358980b6b50c2d9d38e898a7d33b292c7e7

SHA512
efe40355e980508b62a1a0d4a7394d5e6e176e19a1ad10fa9f05a0af9120272cb606a82972dea11cbc478229953104981749f2721a922f317683cb81d5e02272

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
954f9e8ce1289780e8b2a04ce2583ad0

SHA1
d75a174aea8ce2cdd82db642ea82c8507c8c49f9

SHA256
bd93491ae551a8794cc3425219739309267e8a2c0935e08bfd2cc46e3f2200ed

SHA512
1dc2ba9d17b2d3b849353b73b31e8a7bbe6db678d894dd90a68b6e98d5768ec52a47d2cf80d1d41e182590e67dfe602c648bac233c12ac643306972c6c54128c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f0bb9083772db3f3772952ef0e8fd57f

SHA1
4ffc441de43afff0e1b46a8a30aeb984122638d4

SHA256
7dd23dcf52edc4af34d6463e2b113c7c94d718d48a945e27faf9ef81c1c71256

SHA512
283a505b6de0f2aced867d8e49d2d741fef0c4337a0733e6220cacd1536f6e7324bc4c849a4fb6caa97797b465c5d72e19e4c278a5efe418d4147d510479474b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
b72a2836af49ed17855186c8006b56e4

SHA1
a32325f5230991acf880b4872f34e8aaaeabb95d

SHA256
b3acb9523eaac95ad473d4a19f1ec4472dececa6c53056b95134d48a24508333

SHA512
1742ca2f7c80f31953f4164d64e0e93e0ee1aa8bf7742f491cc28b8209b9158464d6780f1140964b9705343ea9018a572ce360b9b108edde3ae1b0bfa14e6e71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ccf989783075512e27a615e49924a787

SHA1
0bc3157b3e523c134ad972c97d0088c6c74e439a

SHA256
f30d1908b89d9c7ec793bca6ae099bab641a88ac1595d3eab2bcf704b1c64737

SHA512
39b14e3409b8467e4e154c8b280e96fc0a2ba49289828deee4eb0421953bc98574168e8afc157b9dc26c6fccf107730c00e5d0d3874b3b60a789baac2c091526

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a83db51a89f39d77df8ba94be5c11c25

SHA1
938392453412c9bbddf6383b51044914310d37c0

SHA256
bc68f01675f55782b45c89a28e9b82262c8d3b6e8374fcba541cc1bed24ed133

SHA512
dbea2cb86b94d239ec82d8bfb14eee7dd0e425473d1b02ea0c07c5d851c7a0b5759f647bd093c6c16dca04c5ae34a520655d27d83d60abe9ef460ad654bc9a50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
32545ae1ce42370d5d629516927b045b

SHA1
0a82428b71741e9466a19f8a1cdf7019840ddcd6

SHA256
9e4ecfdd95314411fdc289166a32e7a83c4dd118bb07c5c469886aaa1361f4b5

SHA512
5c9936e7b5bf78ca2f164b93fbb01bb3951d3e08778e67c2c02676d9284578e1dc55028989d3c7f93cd28e28f5d08e2e4c4a5b00d65fbdecf6fe3eda0681e96b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
dbc08d1bf2dbe59e877d60461b979fdb

SHA1
5de68c8b8849904db509572af9e0eb9797a923c4

SHA256
58782eb0f93f6e1e65e9e3a83090c38abada5eed39dde298be6bb438ec27a909

SHA512
69aac4f314aa2cc32ce8bee12417f10fe0fc12a5cf7e135537bbe492e172d6191c7f066a14550442186a9a043427f2d30f184a882f2127b37a8410fbdd1dde31

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c15d7e8b5b306b7ae0b24126313555dd

SHA1
2578beaec091df5a19ef1ff9fe9465220e2ba871

SHA256
ac42ba2d05b933035eb7dda2849330c1b5a70a06c32a49108e65a60cd85c1142

SHA512
3680159b6c2fb0b47ec18aab9611c89bfecfb381871b03fbee60c7d78a4f24b7d8f7caaa7b1baf619d7a3f30992fe31666866f22168ae4d508a8c000bbeb9c76

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b782586a5e082533ab13fcb23a584261

SHA1
22347715f93791a75220da3b71cb78565e8e700f

SHA256
3dddd691b83e1625e73178298f436e05c112a8d7c6a6e2c13f59228c317105d1

SHA512
881953a555c361d9c54be7abe2c74acf7f1ad370fd03669c2660bae6cba7efd3252b771ba5ba8b9990918b825d8a35d6d5b3ad22871a9804a615a60b1d0dffe2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ca09ecd6273fd1027c15da82ffc0a0e5

SHA1
77b31a2b94e2993bbfdbacdbc3158bda451e597b

SHA256
cdba2613ca567261f15f69253d24cc22aaa4582957f25bd5fca691af61353f68

SHA512
d4e6c27cdef0825ef1e42fbefa75daea025ee63ab31da93dd1a5e9d995ad29f2b8ee9d8c143fd834cd965b6c5eba1ba75f0cc5b43431f891454f2e3d26457f17

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
f132fba4ac40f625caa7eb21e534f6c1

SHA1
703b67917fc02e3d9173dea5cd46964adeb9cf90

SHA256
a5376d0abf6782ed8ad0d092a59938303ad30229bf0a19de47943b5aa4fa47ca

SHA512
6cfe9f3953f330d97fa6636a45877d908ac9be0e1613ac2da6d060fb318755f1ae11a7d07dc5e37fe27649495293f482c20d459f7a52f3090d3f5ccb5230c5ef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4f90c42877fab347733bd923046d79ae

SHA1
39cc87a3493b97574ed42fb197406dfea11939eb

SHA256
9cb0042cc43b7c7a698408fc51366acc93a918a946183488970f1f5ae99d9ec3

SHA512
2561f91a63d81c9f270f6beb8132ee02e2986aeac30687aaa2ba415489e33a47f736755c61e7664c0094282e529fb8499b9bfd1f38204f6f1454e0e825b94147

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
1f6cf359100e1a7291cce3de4a512bcd

SHA1
d7fd99f800526b5f0c3eef49a208eeb949d35706

SHA256
ab5c5733785b4c66ebe1384074ebd7b8cb154f105e464be81711886c1ce2876f

SHA512
9fb4e6f1fd5b76ce1cdcacd9d641808937931c6d2a5c043622f40d1c9c68c278ec39d417b019f4a56a9df00f802735e637646525feb4785581357e085dad2c85

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
f5374a8d61a8543e93ed11747c09126a

SHA1
981ee762424df593eff7448cd22e22c78d18ad13

SHA256
94be943aa1e3f4494c96cd971a6cdf83d46fdaa4cc31096b1d0c821f6501f6e1

SHA512
5332c37b044b8ebced3a59a8b2bf3eeb2394371cf86dab66e75bccf7407edbb481aa4e46d1f7f86ec9c9f20fe0fdc095141c693ed4e52c731632c3e6f3f49cb2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bff1e09ac464124dc4d2f6d1b5e4671b

SHA1
6a883ba29e623805f3e2952b3989d9673e94085a

SHA256
114d3bf1bed57805fb3e3745f3d71a6897da9cfb9ce67d144d7bb15fda1242da

SHA512
f7bc017bd140ab6937da625a91c1da66e1907fcfed3ad41da7b11018f959de6f33a83f9e27b0872f8a8ae3e257a941e19e12a22dcf8c2d5d6214f453bb71f78d

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
6630abf5f8fd82705b34bab4df67f45d

SHA1
83a63bafe319edc4cde54d2174fc32fff7f57767

SHA256
eebf757ba763efcfbd259f6de8f5a585b20c7131e91e86a6fa996cb76ef22a3e

SHA512
7005dc975c92807f3689299a274dd21f40110dd89a03329c0957290273a9841187eb782437fe44068c99fb884bca3e3256f5796789dee06f082a106f55836ce7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5f8e535a697bf707fa51e3e2a3aa1f19

SHA1
a2663b6acd4dcf2f8a80570a516eab3b2fc315de

SHA256
2628e1873cbd1e4b25325fd4f69148f9e82d5299262b08e86f655be1b6a835e8

SHA512
331ccf98ce0f2741b46182f808aa1783b6c8705d5db4acc1c24aaea6d648f515f274b4a9b6006a8dd47a19c57cb58da356ca631da839908239c4c35ee0e704fe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6f5a955af68d7a8aca21a9f05de87032

SHA1
2a49ea5c7f0fbbe5514f124e125c407b5255586b

SHA256
1b8aa81646af959d6449056c3cdab5c229abe69a5d4df7badbe48ac693e7f7a4

SHA512
cc958615b02b94cdbf15e557f5a328b7fa0512c03241198ad49d8284249ad3468dcb3f5caf81a8b5a4e33b7705c257eb6ae4b0629596a017228f720b53b46609

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
34edbee7b9c7bf2667487c2ab3a33363

SHA1
fa78ac87aa11eac921194d4309d8ce654024b526

SHA256
7aede9c09c5197f5f873b01be131a9c12169212cd7fc4fda70f86fde8b7f5fd9

SHA512
4c55a921d46db5c08ffce495849cb57cdcb6b38b35df1887225cddb1b6eb94afcc7241d6ebfe6b7b49d2b26d76a2ec3e6fc12d6635ca72082a9800c4dd8328f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
313dcdb497dd8b914c347046000ab6ff

SHA1
0e429deb6b6950bd197f9eee8623c0edc06f4a82

SHA256
d4972139ff43cde5747812f66e7a96e863ca85b56ce1cd911dc94c079fed494c

SHA512
b5b59411bf275ef6fd37ed7c0d2249ed33e209b09ea89c160158920c71b352906c0d1e3931eeefa27557b98c6c2250779108a12465484d313e427127f81d709b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
69c19da3d815339032f391fcd71f8bb2

SHA1
387708751c585daaa220f4982c690fc069454a64

SHA256
6b7df9ed8ceb7ce350a75d21cc132f6732ba693fae04f460b2df66c931df8cbc

SHA512
9db794ea794ea148ddbe4e20e3729a529b7240922cf3c288094590a79872cf3a68ffae8a6ec950425a45055ecb2a155d975630c462a9d051697a0c6f4fe09b4b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\116143eae72eeb276e7b95b8fcc31364\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
82c01b6155279d77c58585d15d02e42d

SHA1
f0a1a1fdd734cd5c2562f331d86373d879f9600b

SHA256
0677054feefe590846e49c847e55df60f55d382028d98dca09e04f41a48eec64

SHA512
2984dccb493131dd63bbbaff71d1492eb9b5a2009fe43f0933b40e2b75f12140f7843b1d5bb467892093accd1cca98ea5eda4af50643dda9ddf15e0b070671d6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2ece0b6ebc4e9f20079a408a47ba3a68\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
6807592d2509cabe7aace6ae904e73d7

SHA1
5a8e806c54c8a2f7e14da0aeda57c97329ff885c

SHA256
e2138a947eb89a2446754026a4f078683bd963316cc79c7bf45a6597bad1e341

SHA512
16738a60421ec9250e6f59803985ea3f35a60e9d4a0d39c1113784b34ba6664e6cdc4638f2decde0578b7a9b14ae682a5e46fb87397f1e73b0dc3d90759fa52a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6cb0cb4a4857526e7a22e02cb4d7805a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
658cb9b7ea885f708a6bf401f674d97f

SHA1
84dda888441b78534bd9ea613d6c6202c620b050

SHA256
5badcc5b19f6c7da78fd34f2e3faa09857a3bc8f1c29d1ef7b034c6c72ebda8a

SHA512
7d0873853b9698b9ae3bd15d871e884a6b38099750bc045ecaf6df11645ea55d62beb3853b3eef0e3fffc83a756567c0673daafba4b497e462732db3a0f8c0b4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD21E.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d16fa0c3fc33bb59edd7f7ec8feea485

SHA1
0333602aa6c52c2e7186ff17da12845adf4b6f79

SHA256
edc7f884af035e4d43cfbf889e8bb18997a5bfe466c650b3fb80d81895e4b071

SHA512
f7bed26e1442385a8d5f58d37098328b424063d04799c8ed68ac89061dc7d3be72c2afb065d19142b98666bd3973a6cf6d74e48c05eaa029290659836b087d92

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
360e2c5ae70bb917e218fc1a9c5a953f

SHA1
4cae7c1fb63db9e0b6bd4856ffcebd2c2bee7732

SHA256
c0a6f8ba96f94447149ce889368a584339fb374777f146e27be6e8b15b7ab34e

SHA512
cdafa996d79a544911dbf9d63e0e575eaeb58c23583ff2e9c2af9dc4231638cc2298d05d7a25de03482624e0a07c95d2be8775d06849619834f4f87af2ad59db

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
dabf641ff18df1d7a85946e18e66b50e

SHA1
b941d60c4acb26f9936f8513bc5afd3c8d3a7884

SHA256
297100dfef7aa08853c868ebe71739852646be8406c29547bcc5b46d0c333e7a

SHA512
8b633308856aa1ff22bf1daa20a355f073a5869dcaa83d915a826c33dbbb1332c7884ed77f9d3c895fe2aebfafc55a719dd3de3af0979ec39f870b501cbb1f00

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5e3cec2777ed2c0dd3bea4b088f6199c

SHA1
499cd8f887afaf79a47d559069c3b8ac05fe10d6

SHA256
004ebccc5e1df0ec36e03f9a2a2c33d723d9c2466b4d700ad0cc5c05179edb8a

SHA512
b7d36d8904725af55935a783a2888f669b3dbf38af376c0026630caf611e08db0fb8552d733970e62524994bd65d3fd3eddf403c8633815463363fd5c5da0d34

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7b07876e366b30b3dcee9702ac697010

SHA1
74fad15ffed70d8495edaa1685b8adf9bcfefbef

SHA256
00c93504029945e766d29f81b30ecaacf2595a238fdcc3849c8c86f0536971e7

SHA512
789f3e1b690468020897063a6b471cf4a5a5dba869c51a39ae17a00668845c131bd769182c5a6e277b843a983186bbbdc3081990b1d0822e0efe1c15db119ecc

Download Submit
memory/316-133-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/316-125-0x0000000000A40000-0x0000000000AA6000-memory.dmp

Filesize
408KB

Download
memory/316-208-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/316-130-0x0000000000A40000-0x0000000000AA6000-memory.dmp

Filesize
408KB

Download
memory/940-94-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/940-180-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/940-102-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/940-100-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/940-751-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/948-496-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/948-243-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1160-105-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1160-177-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1160-82-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1160-88-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1160-90-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1160-853-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1160-104-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1308-257-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1308-178-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1508-231-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1508-256-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1508-463-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1508-470-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1608-181-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1608-258-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1648-871-0x0000000000D50000-0x0000000000D6E000-memory.dmp

Filesize
120KB

Download
memory/1648-879-0x0000000000EB0000-0x0000000000ED4000-memory.dmp

Filesize
144KB

Download
memory/1648-870-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/1648-872-0x0000000000D50000-0x0000000000D6A000-memory.dmp

Filesize
104KB

Download
memory/1648-873-0x0000000002030000-0x00000000020BC000-memory.dmp

Filesize
560KB

Download
memory/1648-874-0x0000000002030000-0x00000000020D4000-memory.dmp

Filesize
656KB

Download
memory/1648-875-0x0000000002030000-0x00000000021CE000-memory.dmp

Filesize
1.6MB

Download
memory/1648-876-0x0000000002030000-0x000000000211C000-memory.dmp

Filesize
944KB

Download
memory/1648-49-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1648-55-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1648-50-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/1648-152-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1648-882-0x0000000002030000-0x0000000002096000-memory.dmp

Filesize
408KB

Download
memory/1648-881-0x0000000000EB0000-0x0000000000EDA000-memory.dmp

Filesize
168KB

Download
memory/1648-880-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/1648-877-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/1648-878-0x0000000002030000-0x00000000020B8000-memory.dmp

Filesize
544KB

Download
memory/1652-211-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1652-230-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1716-229-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1716-234-0x00000000005A0000-0x00000000007A9000-memory.dmp

Filesize
2.0MB

Download
memory/1716-159-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1716-161-0x00000000005A0000-0x00000000007A9000-memory.dmp

Filesize
2.0MB

Download
memory/1720-637-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1720-261-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1912-214-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1912-441-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1936-457-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/1936-217-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2004-195-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2004-122-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2004-759-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2056-153-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2068-259-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2068-348-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2112-144-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2112-135-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/2112-149-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2236-378-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2236-342-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2284-417-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2284-373-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2292-110-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2292-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2292-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2292-117-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2304-442-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2304-465-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2404-30-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2404-47-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2528-478-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2528-502-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2608-213-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2608-39-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2608-440-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2608-63-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2664-360-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2664-197-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2676-413-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2676-428-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2752-107-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2752-14-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2884-18-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2884-17-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2884-26-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2884-115-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2888-334-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2888-193-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2964-158-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2964-65-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2964-71-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2964-73-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2988-188-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/3056-81-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3056-0-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3056-6-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/3056-8-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/3056-1-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/3144-518-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3144-499-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3704-576-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download