expiro | 699bd6894d3fe09c40dac274499a1bc6c1f57b6c92e31dc5f9f6e63c04c8e2b2

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
Size

661KB
MD5

574ae82593de221115bfcabdf4ff4f81
SHA1

aec60c1bd67ce9278de10e6db9ff11e2a109a5b8
SHA256

699bd6894d3fe09c40dac274499a1bc6c1f57b6c92e31dc5f9f6e63c04c8e2b2
SHA512

790c4798345cd75b84594a84203c192f8ee29790df146ab0871e5668ee231c70e1d5bc2a3f31ceb9d8a9882340b20b19963c93c937ec20693ecb904712922b98
SSDEEP

12288:vUNIB5h08gJmKC9TovAW7E+Q1uHwQgMEzMK+tplNZyeft0+bdXOV5fk:qInh5g56TJ4vQ1uQQiMK+tplNZvi+b9e

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 5 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2192-34-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2192-35-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2192-53-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2192-52-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2432-65-0x000000013FA00000-0x000000013FB62000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2444	alg.exe
2768	aspnet_state.exe
2192	mscorsvw.exe
2616	mscorsvw.exe
2612	mscorsvw.exe
1296	mscorsvw.exe
2012	mscorsvw.exe
2248	mscorsvw.exe
2752	mscorsvw.exe
1132	mscorsvw.exe
1224	mscorsvw.exe
1976	mscorsvw.exe
1028	mscorsvw.exe
644	mscorsvw.exe
2292	mscorsvw.exe
1048	mscorsvw.exe
1628	mscorsvw.exe
780	mscorsvw.exe
1592	mscorsvw.exe
2180	mscorsvw.exe
1576	mscorsvw.exe
1736	mscorsvw.exe
2156	mscorsvw.exe
2212	mscorsvw.exe
2824	mscorsvw.exe
2740	mscorsvw.exe
2728	mscorsvw.exe
2688	mscorsvw.exe
1624	mscorsvw.exe
836	mscorsvw.exe
1964	mscorsvw.exe
1028	mscorsvw.exe
1368	mscorsvw.exe
3056	mscorsvw.exe
1628	mscorsvw.exe
2184	mscorsvw.exe
2176	mscorsvw.exe
1736	mscorsvw.exe
2780	mscorsvw.exe
2960	mscorsvw.exe
2624	mscorsvw.exe
3012	mscorsvw.exe
2564	mscorsvw.exe
1712	mscorsvw.exe
2188	mscorsvw.exe
1276	mscorsvw.exe
2656	mscorsvw.exe
2396	mscorsvw.exe
2948	mscorsvw.exe
2856	mscorsvw.exe
708	mscorsvw.exe
1480	mscorsvw.exe
2464	mscorsvw.exe
560	mscorsvw.exe
2544	mscorsvw.exe
992	mscorsvw.exe
2896	mscorsvw.exe
1512	mscorsvw.exe
1816	mscorsvw.exe
2732	mscorsvw.exe
2784	mscorsvw.exe
2728	mscorsvw.exe
2488	mscorsvw.exe

Loads dropped DLL 49 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
1368	mscorsvw.exe
1368	mscorsvw.exe
1628	mscorsvw.exe
1628	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
2780	mscorsvw.exe
2780	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
2564	mscorsvw.exe
2564	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
708	mscorsvw.exe
708	mscorsvw.exe
2464	mscorsvw.exe
2464	mscorsvw.exe
2544	mscorsvw.exe
2544	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe
2488	mscorsvw.exe
2488	mscorsvw.exe
2472	mscorsvw.exe
2472	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
1932	mscorsvw.exe
1932	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
2980	mscorsvw.exe
2980	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\pqpegmmd.tmp	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\aenedjlo.tmp	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\dndoohld.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft office\office14\joinceef.tmp	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\hfhaoaip.tmp	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\hngkcnna.tmp	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA90B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB210.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9A9A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8E99.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP148.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC37.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBD08.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\jifeojam.tmp	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9203.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5FF.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe
2444	alg.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2432	JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2444	alg.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1296	2612	mscorsvw.exe	37
PID 2612 wrote to memory of 1296	2612	mscorsvw.exe	37
PID 2612 wrote to memory of 1296	2612	mscorsvw.exe	37
PID 2612 wrote to memory of 1296	2612	mscorsvw.exe	37
PID 2612 wrote to memory of 2012	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2012	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2012	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2012	2612	mscorsvw.exe	38
PID 2612 wrote to memory of 2248	2612	mscorsvw.exe	39
PID 2612 wrote to memory of 2248	2612	mscorsvw.exe	39
PID 2612 wrote to memory of 2248	2612	mscorsvw.exe	39
PID 2612 wrote to memory of 2248	2612	mscorsvw.exe	39
PID 2612 wrote to memory of 2752	2612	mscorsvw.exe	40
PID 2612 wrote to memory of 2752	2612	mscorsvw.exe	40
PID 2612 wrote to memory of 2752	2612	mscorsvw.exe	40
PID 2612 wrote to memory of 2752	2612	mscorsvw.exe	40
PID 2612 wrote to memory of 1132	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 1132	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 1132	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 1132	2612	mscorsvw.exe	41
PID 2612 wrote to memory of 1224	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 1224	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 1224	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 1224	2612	mscorsvw.exe	42
PID 2612 wrote to memory of 1976	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1976	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1976	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1976	2612	mscorsvw.exe	43
PID 2612 wrote to memory of 1028	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 1028	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 1028	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 1028	2612	mscorsvw.exe	44
PID 2612 wrote to memory of 644	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 644	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 644	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 644	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	46
PID 2612 wrote to memory of 1048	2612	mscorsvw.exe	47
PID 2612 wrote to memory of 1048	2612	mscorsvw.exe	47
PID 2612 wrote to memory of 1048	2612	mscorsvw.exe	47
PID 2612 wrote to memory of 1048	2612	mscorsvw.exe	47
PID 2612 wrote to memory of 1628	2612	mscorsvw.exe	48
PID 2612 wrote to memory of 1628	2612	mscorsvw.exe	48
PID 2612 wrote to memory of 1628	2612	mscorsvw.exe	48
PID 2612 wrote to memory of 1628	2612	mscorsvw.exe	48
PID 2612 wrote to memory of 780	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 780	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 780	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 780	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1592	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 1592	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 1592	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 1592	2612	mscorsvw.exe	50
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1576	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1576	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1576	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1576	2612	mscorsvw.exe	52

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_574ae82593de221115bfcabdf4ff4f81.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2192

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 188 -NGENProcess 18c -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 210 -NGENProcess 21c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 22c -NGENProcess 1fc -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 230 -NGENProcess 1f8 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 234 -NGENProcess 21c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 1fc -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 1f8 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 21c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1fc -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1f8 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 21c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 1fc -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1f8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 21c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1fc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1f8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 21c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1fc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 264 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 1fc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 260 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 1fc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1cc -NGENProcess 258 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 214 -NGENProcess 250 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 220 -NGENProcess 22c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 228 -NGENProcess 258 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 250 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 184 -NGENProcess 1d0 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1f0 -NGENProcess 220 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 278 -NGENProcess 210 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 210 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 27c -NGENProcess 220 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 220 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 280 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 27c -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 280 -NGENProcess 264 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 21c -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 224 -NGENProcess 264 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 264 -NGENProcess 280 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 224 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 280 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 224 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 224 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 254 -NGENProcess 1cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1cc -NGENProcess 2c4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2bc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2bc -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d8 -NGENProcess 254 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 254 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2e8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 254 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 254 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 254 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2e8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 254 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2e8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 254 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2e4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 254 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 254 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2e4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2e8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 2e8 -NGENProcess 350 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 254 -NGENProcess 35c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 340 -NGENProcess 350 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 2e8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 350 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2e8 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 35c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 350 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 36c -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 360 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 378 -NGENProcess 384 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 33c -NGENProcess 350 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 380 -NGENProcess 38c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 35c -NGENProcess 350 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 350 -NGENProcess 388 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 394 -NGENProcess 38c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 38c -NGENProcess 35c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 360 -NGENProcess cc -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 398 -NGENProcess 380 -Pipe c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess cc -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3ac -NGENProcess 380 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3ac -NGENProcess 3a0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3a4 -NGENProcess 380 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b8 -NGENProcess 39c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 380 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cqflppll\cmd.exe

Filesize
732KB

MD5
87dcfdc712ef4ceeaafb0ff7fc1eb0c8

SHA1
5420478a6618605f0dd207234cdeccba809ed3cf

SHA256
dd0f886f47ca4bf4d37a73259387b03ceab7d2f1bf488040c46d6bdec54f0793

SHA512
472f51e69b0d2e072585d5d479cfd369b606c07b0f6b9d70960cec6596199154cd66db19d686b73faac1209b33bb579ccae1cdcec914f9efd1b3de64fb6bf779

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a3a32109f02d07d1bb5dffd538d6f238

SHA1
881e2b5b24e5ede83c592ebb224309c34cf568d1

SHA256
03b977c0439fe6512e11abc3d7e2ea3a6b21b26cdda6fcbb7186208fd6629a9a

SHA512
4463e6f8d6f50f4a274f968605671800b95308d11f0d99eab899761e9f1db3f6883da902afce498021d2e44481014d4f8456278e391744b291584368d152433f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
52ce0380a36d271dc37a335f713cecd7

SHA1
dc1093d203638083a0ff88084981572c26f1e955

SHA256
7d22d1a2c882b574033975a3b378ca5d62111faa3771bdfdc08c536245c1e932

SHA512
819dd315875f50828c959a60c022aa4ab37a3254f6fd24343345116c5ad2b59cb334710600cf373cfc6d5daaf0d214c798ac25bc3f9f89da80e93e3ce1714ed2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4999941878369ed169971fd50742d09e

SHA1
f37466f0972c0852fe03a5b4caf400785fb33b82

SHA256
c8579d8f6fc79765d2fd129239bdfb7d6ceb25ed88e6605c2fd37e55af026dcf

SHA512
1fe784c1686c0fb47d12548e04df0d2701c34915da37d8e49bbcce2111e412b7d46beefdccf1a5c299fd57dbdedb16980d03807179413cd20cd7b804acc19416

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
154701ce15769696b3df994e71bb7acd

SHA1
f1221c883844384795f1bda78aad0fbce8a42e54

SHA256
30e27022412a313e5e2d263858a5a8351944fc5f5d3565c034ccc92c67715368

SHA512
59908ba29466ad4ab646613083147ef16ce396cf9244bbd8ec0cf699c32d7f667f42194c47ccedef91da12206872afe374060cdd24987af76360a550e515a688

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
828d5a362144eb624df9f12c2d4c16fb

SHA1
03b9c5323e56386bbe133e82717753227d8996e3

SHA256
7929063228038aa1cf7d79c869c2cb53e40e96dea736d00b59d092be9305e245

SHA512
7ce1f69920b67375cc54dfb4587adbe97b4f00bbda149bd873aee1fcccb747150cac9845d82d8ec7d2533fcf4caaf5a9af0e9915f783845bb172f302e6d21472

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\677f702dae85e9e71dd263389b314e4c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
707dfd12050367afa559a46fb9f58cc3

SHA1
5de2d34f0244ea30a7cee2ce057911d496b275ec

SHA256
c573fbe5d6d82ded4bf0b6e009ec70ce0deb2b6a17d071941d4be4d7a533c4b2

SHA512
09129b72022fdd6853ab271997dfe452df1fecc718b07b334559c481f5524c9cbb9a36f3f51631046332b5841012d273882b8ce5e95c6d38a52b7634dc15e3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a124527b05c5a23baa89f2640a8e7eeb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
96e73515d59941275243019718f72dc9

SHA1
8d891d9deb43e6f93f551b844b3c3c645cd8a8c6

SHA256
87721114f093063af12fcfefaa3586cedc69e5fd9edc1be09c6569022aeadfcf

SHA512
d935d32bf3134cd7490c0373b59984c47aca6bf70d634c71cdb691f034849e57e51aef3b8ecb8a71f4e7603852d80f4d27648f2d52d23784d808f8d69c02ae8d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ca38a6102e5ce868984b47fd1e5bb16c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
3db1b49b6e4de1a4454490f20197160d

SHA1
0976bec941b6762b128394e099a72d3eff93cd34

SHA256
cabb7980f21a3145c6b26fa6c12183f8835d86294c3936259d82d5fc2accd64f

SHA512
3fd3f26f83efc4b67104d93609a9d1689826efb5043a737de49840d23a81b36bd5cdc1af68ec022ab050cdb1fe889ed6cc14304a3cbe32efe2d1fe38546e1c89

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc886283c93ab80a1794b6fa4db32beb\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
d47c6be4748403204b80061f4ca08912

SHA1
df69eed7464005c55fb720a6f0c27f776d357004

SHA256
c3584144b6c37b31c0bad8c9b8799da2d89924701d8ecc47ed06c00b4fc06ac9

SHA512
e40b9e31cc46de08033b441f47d2598914c24b07819aad08d45253bbea9d265323324c027b6421e72c50ed5b1817b751412282e445e645e4763e8584378c4b05

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
56905f040dd244a70d3afa0350b93d72

SHA1
2d78da9a248ca78441683c3942436182a357af25

SHA256
7cee7f953a5fa9b0eb86ef4a3abc723080f2333e8e8831b2db364ff5e2d6198d

SHA512
f97dc88fe2e3cea62259d12230d328c097cdc828df4f7d8e411a048aa24985a8b3175e1f8354437b66042b65aa904a3ed870f78d558e6ec11b4216f8ac87cb81

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
fcd6576389920262127ffe566575a57a

SHA1
0c493ee150eb298e6b9ba1df2448418b6fa27552

SHA256
6ad636387e74838ed071174ffe246bc7bf610f49dea53b58871e1132830c1762

SHA512
37a0dd169a5548825d614c0eba003f5ac9d65b0dd579edb400592df78b15af0ac450f59b3a1187406f2943bf4711360f0e3e54c757a8bc31303191869fe6cdf9

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
535e5dc2df421b91f4d89474e4607213

SHA1
32c05762a4041bac54329cc11e69c2f632947e92

SHA256
23457fac835f5115e17e718c5889609c4ba01552351d764fb99be90c0e1f5853

SHA512
d8232b8fec78642ac1bb755b2811cc52126ecae2b02ed9da4de2c9a77d9d5f4ba5e49f3713bfffb1947452ff2c937802c1769ec7babd6024c087e15df73be56d

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP84D9.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP87D5.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8B5E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8E99.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9203.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP952E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
memory/2180-114-0x0000000002C40000-0x0000000002CFA000-memory.dmp

Filesize
744KB

Download
memory/2192-52-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2192-34-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2192-35-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2192-53-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2432-65-0x000000013FA00000-0x000000013FB62000-memory.dmp

Filesize
1.4MB

Download
memory/2432-4-0x000000013FA00000-0x000000013FB62000-memory.dmp

Filesize
1.4MB

Download
memory/2432-12-0x000000013FA00000-0x000000013FB62000-memory.dmp

Filesize
1.4MB

Download
memory/2432-2-0x000000013FAAA000-0x000000013FB62000-memory.dmp

Filesize
736KB

Download
memory/2432-0-0x000000013FAAA000-0x000000013FB62000-memory.dmp

Filesize
736KB

Download
memory/2432-1-0x000000013FA00000-0x000000013FB62000-memory.dmp

Filesize
1.4MB

Download
memory/2432-64-0x000000013FAAA000-0x000000013FB62000-memory.dmp

Filesize
736KB

Download
memory/2444-19-0x00000000FF7D9000-0x00000000FF890000-memory.dmp

Filesize
732KB

Download
memory/2444-67-0x00000000FF7D9000-0x00000000FF890000-memory.dmp

Filesize
732KB

Download
memory/2444-75-0x00000000FF760000-0x00000000FF890000-memory.dmp

Filesize
1.2MB

Download
memory/2444-20-0x00000000FF760000-0x00000000FF890000-memory.dmp

Filesize
1.2MB

Download
memory/2444-72-0x00000000FF760000-0x00000000FF890000-memory.dmp

Filesize
1.2MB

Download
memory/2612-140-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2612-138-0x0000000002F70000-0x000000000310E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-133-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2612-134-0x00000000001D0000-0x00000000001EE000-memory.dmp

Filesize
120KB

Download
memory/2612-145-0x0000000000840000-0x00000000008A6000-memory.dmp

Filesize
408KB

Download
memory/2612-144-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/2612-135-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/2612-143-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2612-142-0x00000000004E0000-0x0000000000504000-memory.dmp

Filesize
144KB

Download
memory/2612-136-0x0000000002AE0000-0x0000000002B6C000-memory.dmp

Filesize
560KB

Download
memory/2612-141-0x0000000002AE0000-0x0000000002B68000-memory.dmp

Filesize
544KB

Download
memory/2612-139-0x0000000002F70000-0x000000000305C000-memory.dmp

Filesize
944KB

Download
memory/2612-137-0x0000000002F70000-0x0000000003014000-memory.dmp

Filesize
656KB

Download
memory/2616-49-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2616-66-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2616-50-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2768-27-0x000000013F3D2000-0x000000013F489000-memory.dmp

Filesize
732KB

Download
memory/2768-28-0x000000013F360000-0x000000013F489000-memory.dmp

Filesize
1.2MB

Download
memory/2768-74-0x000000013F360000-0x000000013F489000-memory.dmp

Filesize
1.2MB

Download
memory/2768-73-0x000000013F3D2000-0x000000013F489000-memory.dmp

Filesize
732KB

Download