99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Size

1.7MB
MD5

90b4872a4e6b13ebb2b31a93fef9784d
SHA1

3a73acf010ab915cff9a502949a735f833fc1ca8
SHA256

99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1
SHA512

43c293ec7db884896a896a292030043f966a7d904fef6f41b94d910ff952e3927f78e075ab8e822c51ad59ae510207921bffeb5e76848f3807b4f43682a8129c
SSDEEP

24576:eWd7S8NK3oYpkTcDvebZI7LrS/85RkVt7jCSkQ/7Gb8NLEbeZ:eKxNupkTcKb4rSUfkVFjLkQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
2008	alg.exe
2840	aspnet_state.exe
3056	mscorsvw.exe
1056	mscorsvw.exe
2216	mscorsvw.exe
1816	mscorsvw.exe
2220	ehRecvr.exe
1316	ehsched.exe
1780	elevation_service.exe
2404	IEEtwCollector.exe
1320	GROOVE.EXE
2208	maintenanceservice.exe
1820	msdtc.exe
1920	msiexec.exe
2944	OSE.EXE
2992	mscorsvw.exe
2280	perfhost.exe
2088	locator.exe
2760	snmptrap.exe
2040	vds.exe
1364	mscorsvw.exe
2500	vssvc.exe
1524	mscorsvw.exe
1232	wbengine.exe
3020	WmiApSrv.exe
1712	wmpnetwk.exe
2028	SearchIndexer.exe
1960	mscorsvw.exe
2704	mscorsvw.exe
2148	mscorsvw.exe
2892	mscorsvw.exe
836	mscorsvw.exe
2456	mscorsvw.exe
2992	mscorsvw.exe
2264	mscorsvw.exe
1832	mscorsvw.exe
2592	mscorsvw.exe
1584	mscorsvw.exe
2264	mscorsvw.exe
2404	mscorsvw.exe
1796	mscorsvw.exe
2804	mscorsvw.exe
864	mscorsvw.exe
1876	mscorsvw.exe
1588	mscorsvw.exe
1764	mscorsvw.exe
2436	mscorsvw.exe
2900	mscorsvw.exe
2300	mscorsvw.exe
1044	mscorsvw.exe
2648	mscorsvw.exe
2536	mscorsvw.exe
952	mscorsvw.exe
2776	mscorsvw.exe
1572	mscorsvw.exe
2528	mscorsvw.exe
2540	mscorsvw.exe
1640	mscorsvw.exe
3040	mscorsvw.exe
2992	mscorsvw.exe
2072	mscorsvw.exe
1940	mscorsvw.exe
2880	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
1920	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
748	Process not Found
2776	mscorsvw.exe
2776	mscorsvw.exe
2528	mscorsvw.exe
2528	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
2992	mscorsvw.exe
2992	mscorsvw.exe
1940	mscorsvw.exe
1940	mscorsvw.exe
756	mscorsvw.exe
756	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
2152	mscorsvw.exe
2152	mscorsvw.exe
1804	mscorsvw.exe
1804	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
584	mscorsvw.exe
584	mscorsvw.exe
2484	mscorsvw.exe
2484	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
1692	mscorsvw.exe
1692	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
972	mscorsvw.exe
972	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\locator.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\vds.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa11ded65f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC42A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA007.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBDE3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCADE.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDBDE.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC2E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAADF.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD40.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD02B.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB02D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{93D9D309-1F17-4A20-AFC8-30573699C698}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080073210dc81db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3060	jp2launcher.exe
756	ehRec.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: 33	1836	EhTray.exe
Token: SeIncBasePriorityPrivilege	1836	EhTray.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeDebugPrivilege	756	ehRec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeSecurityPrivilege	1920	msiexec.exe
Token: 33	1836	EhTray.exe
Token: SeIncBasePriorityPrivilege	1836	EhTray.exe
Token: SeBackupPrivilege	2500	vssvc.exe
Token: SeRestorePrivilege	2500	vssvc.exe
Token: SeAuditPrivilege	2500	vssvc.exe
Token: SeBackupPrivilege	1232	wbengine.exe
Token: SeRestorePrivilege	1232	wbengine.exe
Token: SeSecurityPrivilege	1232	wbengine.exe
Token: 33	1712	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1712	wmpnetwk.exe
Token: SeManageVolumePrivilege	2028	SearchIndexer.exe
Token: 33	2028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2028	SearchIndexer.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeDebugPrivilege	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeDebugPrivilege	2008	alg.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe
Token: SeShutdownPrivilege	2216	mscorsvw.exe
Token: SeShutdownPrivilege	1816	mscorsvw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1836	EhTray.exe
1836	EhTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1836	EhTray.exe
1836	EhTray.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
3060	jp2launcher.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
3024	SearchProtocolHost.exe
2512	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2004	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe	30
PID 1740 wrote to memory of 2004	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe	30
PID 1740 wrote to memory of 2004	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe	30
PID 1740 wrote to memory of 2004	1740	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe	30
PID 2004 wrote to memory of 3060	2004	javaws.exe	32
PID 2004 wrote to memory of 3060	2004	javaws.exe	32
PID 2004 wrote to memory of 3060	2004	javaws.exe	32
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	50
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	50
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	50
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	50
PID 2216 wrote to memory of 1364	2216	mscorsvw.exe	55
PID 2216 wrote to memory of 1364	2216	mscorsvw.exe	55
PID 2216 wrote to memory of 1364	2216	mscorsvw.exe	55
PID 2216 wrote to memory of 1364	2216	mscorsvw.exe	55
PID 2216 wrote to memory of 1524	2216	mscorsvw.exe	57
PID 2216 wrote to memory of 1524	2216	mscorsvw.exe	57
PID 2216 wrote to memory of 1524	2216	mscorsvw.exe	57
PID 2216 wrote to memory of 1524	2216	mscorsvw.exe	57
PID 2216 wrote to memory of 1960	2216	mscorsvw.exe	62
PID 2216 wrote to memory of 1960	2216	mscorsvw.exe	62
PID 2216 wrote to memory of 1960	2216	mscorsvw.exe	62
PID 2216 wrote to memory of 1960	2216	mscorsvw.exe	62
PID 2216 wrote to memory of 2704	2216	mscorsvw.exe	63
PID 2216 wrote to memory of 2704	2216	mscorsvw.exe	63
PID 2216 wrote to memory of 2704	2216	mscorsvw.exe	63
PID 2216 wrote to memory of 2704	2216	mscorsvw.exe	63
PID 2028 wrote to memory of 2512	2028	SearchIndexer.exe	64
PID 2028 wrote to memory of 2512	2028	SearchIndexer.exe	64
PID 2028 wrote to memory of 2512	2028	SearchIndexer.exe	64
PID 2028 wrote to memory of 1228	2028	SearchIndexer.exe	65
PID 2028 wrote to memory of 1228	2028	SearchIndexer.exe	65
PID 2028 wrote to memory of 1228	2028	SearchIndexer.exe	65
PID 2216 wrote to memory of 2148	2216	mscorsvw.exe	66
PID 2216 wrote to memory of 2148	2216	mscorsvw.exe	66
PID 2216 wrote to memory of 2148	2216	mscorsvw.exe	66
PID 2216 wrote to memory of 2148	2216	mscorsvw.exe	66
PID 2028 wrote to memory of 3024	2028	SearchIndexer.exe	67
PID 2028 wrote to memory of 3024	2028	SearchIndexer.exe	67
PID 2028 wrote to memory of 3024	2028	SearchIndexer.exe	67
PID 2216 wrote to memory of 2892	2216	mscorsvw.exe	68
PID 2216 wrote to memory of 2892	2216	mscorsvw.exe	68
PID 2216 wrote to memory of 2892	2216	mscorsvw.exe	68
PID 2216 wrote to memory of 2892	2216	mscorsvw.exe	68
PID 2216 wrote to memory of 836	2216	mscorsvw.exe	69
PID 2216 wrote to memory of 836	2216	mscorsvw.exe	69
PID 2216 wrote to memory of 836	2216	mscorsvw.exe	69
PID 2216 wrote to memory of 836	2216	mscorsvw.exe	69
PID 2216 wrote to memory of 2456	2216	mscorsvw.exe	70
PID 2216 wrote to memory of 2456	2216	mscorsvw.exe	70
PID 2216 wrote to memory of 2456	2216	mscorsvw.exe	70
PID 2216 wrote to memory of 2456	2216	mscorsvw.exe	70
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	71
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	71
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	71
PID 2216 wrote to memory of 2992	2216	mscorsvw.exe	71
PID 2216 wrote to memory of 2264	2216	mscorsvw.exe	76
PID 2216 wrote to memory of 2264	2216	mscorsvw.exe	76
PID 2216 wrote to memory of 2264	2216	mscorsvw.exe	76
PID 2216 wrote to memory of 2264	2216	mscorsvw.exe	76
PID 2216 wrote to memory of 1832	2216	mscorsvw.exe	73
PID 2216 wrote to memory of 1832	2216	mscorsvw.exe	73
PID 2216 wrote to memory of 1832	2216	mscorsvw.exe	73
PID 2216 wrote to memory of 1832	2216	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
"C:\Users\Admin\AppData\Local\Temp\99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files\Java\jre7\bin\javaws.exe
  "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files\Java\jre7\bin\jp2launcher.exe
    "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3060

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3056

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 264 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 258 -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 25c -NGENProcess 1f8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 1f8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 224 -NGENProcess 23c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1f8 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2b0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 2b0 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 224 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 224 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2a8 -NGENProcess 2b0 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2ac -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 284 -NGENProcess 2a8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 25c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 25c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 254 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 29c -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c4 -NGENProcess 254 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 254 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 300 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2220

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1320

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
c245eb51b5a068b3ee96823787dfe4be

SHA1
bda8ed3e9e3e387377715883efb3f0ac31a1ec11

SHA256
9a8c200ad5da88721c3ccedb338fad3002a94893de9583665d75d58f8fe3b815

SHA512
d33a067d6cdc1cc273478f9766c36b6e5dcdc15bd0ca3a5416ac52b539d6b880040aeb00ae2fc81a0f0119037b1f779375a330563e9fe9ae83cfe97b1e90e307

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bed8bc0e8903f70cbf28794725f325e2

SHA1
5a84a7f44b2e4acac26dc5a272932644ab8be381

SHA256
c73e947f0d2a22eeca27e030a21ff52c03d8a32975b30d68176dcfd1754b9d0f

SHA512
0fea0d5269f752bf2e7f81fe02ef8c9e781972252a3b25a3207d0bc695fdb69ae915d627924b2fc911268bdbd2a6b110e3312b87162304b5e2b4466721e26533

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4d1c9bf964ffaffd24814bb780697d68

SHA1
e5cd601ccd97794d392b3b2e95027cb9c282407b

SHA256
b3b9eeffb6597c70f99eda496308d75f4719e44218cf05ecb8b571bf516a87e9

SHA512
f88d25b3c8b63632eaaa16ef5a41f105c9c46050344546b8677a8b1c713d7385af8adec4bc276961abcef1fe1e65349de4c57881d4639c4835b733939551b3fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
92efaa18fe73dfae2c86761714d773b1

SHA1
58bc0a153810ac75f34cb7f9e6616f01970db647

SHA256
d885d1df73607f1f2cbed45131fd8cb51067a406be4fc9da855543021f81650d

SHA512
41423349fe50c85278737e14345bf5d4667de9ff1e93bd37e2e016ff810f5c0f9fee41a16d197c1f7282328b3b2eba1f724a94318344b55cb6a315fb0452381c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-5eacb5ac

Filesize
12KB

MD5
f9e48186bd918afaf08544e709341184

SHA1
978f291344ab0d51dddcb661dbf05034073f15aa

SHA256
32ec1dd00faab8c0fbd489644fef40f70a509fbdb578e1b9854876f380572ca4

SHA512
f735a4d6dd3620a51c2e1454c2a105c83b76bf26b5f9f1df3ce79308b56c6a9789ed49e527eedbb1723714fffaac247b374f2f188dcdf53249fd65214e8dbb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
685B

MD5
7ba80436cdd36c17497f82b54264084b

SHA1
bd3c5699ca4d7e318442e2593e35f24868b8a1b1

SHA256
184433ec61483176003a2e188923333ea27a536940629e01528561aaa8b06626

SHA512
051d444997c656adc50264b8e1ccafbf754c2a14d1e15dcb89290560e676a0393ace1ac656b375a81681e49e0a8dc32494174c53a351945a506f885a43de06e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache3880448017650569840.tmp

Filesize
12KB

MD5
f47403fc5f6534d1eb5e6a4088c86d84

SHA1
ed2116d28be10439a9f35145a21535ecfba196f5

SHA256
ec77ef8b1cbf32edf02950406ca4fcb7edcef00bf498b1a714d734363881b97a

SHA512
937af202eedc100d0cd146554cbd2a98c580210ece2f0e92a1f7d6d1dfc49cd9f0e47867e707fb6e57725ae62210d38af2df25062ac838e3ac42b3b4c37ec90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
0508220fbf6c636d3fc954515e30022c

SHA1
968291c372da3aa445c81682861d23fc13b900ab

SHA256
3cc1f6f73de6c4dae71175a81ea25dee604fb18b1ccf44bca2b35b5e4ba3dfc9

SHA512
da510243dbc16c0052bb8822ce6def69976e9d00b62cb37889e85cfe020b65f74c344c25b26f1f96c014913c6b500e8dde11a2f778b8aeffa737d6e8c2f47cde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3b0b78766dcf6bfd2ab84483c003bd0a

SHA1
892910873b6c90947b0f97846041aa8a0430fb53

SHA256
167fd1436511e72a2baf16c4913b916796f9760bdf64ebc6379eb100078a790e

SHA512
0bc618dbecbc1fc8586920a5257afac4f567e180b1aef579c01ce0c41e882291d6f7dbd8dca1cf7867e6bc51cf6e3cc21eb38a9460531ea377a00bca1ef2b051

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
6d2203e8e0947bf3c8f14df3a6ed8d85

SHA1
5c68eb1e90c69f00de75297d7edb31481c47f6f7

SHA256
9041d7cb0dd660dc20cd058b5e893cb16143fb7583fac5fd2930fe9f0a9295fd

SHA512
be3dd3bb8505bd112ded07d4af855a514577cf19c9cd5f057569b2e3feda9526af9a9127d69d8a2e0a7f50c7d5f6b8abd41bc6481d2576ed584c2ebc9a5bfddb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
48208c62199d06abdbabae2aa537ba62

SHA1
0c7d9fa12db6ac17a7a17db63a86480322f8f5cf

SHA256
8cc5e799a662a51f8f1c6bb0fe0d3b11b7a4606d899a368e4a3470670ee3de98

SHA512
3becc6db733bc479e816094ba667fd5018c9962fe86976bce55441e88a7aceb4cb35c9a63ff76a536ae1e65360b17d26dcf05c244ccdb13e7aa515571751a512

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
daab217062e799e3e9d2b7917303a4cb

SHA1
e93ecadb194e13923f7d7d15cab0e4401fb48220

SHA256
33e6fcff022a1d77ff80848f7bd62b5e7fcb9c5ad82904837a998734d4c2871e

SHA512
58319262469e0d7b13d16689accb67c4e42138300521a94d428ff1d50dcc8b8c5292a598cfe717f583fadce326e45f2e2d50290e97b2938f3fb004c97469147b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
d2088ba835bc597b25149e08c363771b

SHA1
d178c43d290a1a9d7ca4ce7a1dee06ba1b827d90

SHA256
fd5770beaf281819209411c8ea6b5c1a555f69e0c97f79915da6e77ed781bc6d

SHA512
a22b524f6958c0819ee2896a7e83fed36cb635ab04187aded8bbf6f471a14719e26a3eec648141ffbc0404bef49e2acb702f1b3f964efdb227c4f2488e95855a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c89c93c7bd876da9607be42a45d0d621

SHA1
fe02ec9992bf783edd620ebdcea5fdb594331bdd

SHA256
7ebf725bb8c2f4c969fad61a1e63a9561b3c7477414fb1d757e47004cfc6c26d

SHA512
3c6f76f17c064c3575ce6ae65b18198ed511de13feaff35677100bcade5608810c5f0dc0be21956f256adcc31233afca97f3dfa0dc66c719ad95d842021ec735

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d748c1e30fd5ceb9d451937cbd9fc69e

SHA1
6e8162fbdc9c21b9f038e70d028a6fc6dd845d76

SHA256
ca62d18f48cfac6b58ef3eb5426e44f69c2aaca196533cf66b8a64ac569de671

SHA512
a348773f807804a21509af089a65f59c8e69560107926ce6da1d2abdbf1a0638fe1b0b134b6ebe8b6f25107f9dbf8d50c83e624a3c5de383e64a60951b00152e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
33f5336ec73f9fd86b76a3891dec19e2

SHA1
8db35e7838fc8ebadf7aff5b4ded8cd798404012

SHA256
3f4977a44fdb994930e92f6c3f6168eb8f116c72210a41a9096aae3835a7f27e

SHA512
b6efb6b526113cc49e79c4bb27bae4778eb322f6fa35f2c83d899999b92e53d64239fae7f43dc2b8630a7f9a668c8cded6ac2bb7a4163c0b508ec2926b0125f2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
254e6533f68e372cd5f21b94e2a4e6fc

SHA1
30836b44355d78936e55784044b54768fcf7fba7

SHA256
cf155b94b73c6e4d3bd5229066b30b4fa1d87d8b42256e2bffbf79d35ad3d224

SHA512
e051d5958bb7a4f0482f8eeffda8ccecfe7432fd34eea6e8948f24051236093d3490211f02781c67c228aad86e63927e865bb3d759ffabb94d21ef9d97383ebe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
22dd8b9b75f087eba1a3c7cc59a24664

SHA1
28f02bbbf0312d14eb27df7297324ff22fd5add8

SHA256
380ad5cacdc83eb762efcdaef28f8860ba5bc960c1797f62910965170c1f24ee

SHA512
fd550e71481f133c44c26f992fd0ec76e638b741d8dc8b6a007fab6b6751e5782b8a7f65d39c7a79416670cfdd55075c71a4bae6fce4c50171d4960fd8b279df

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
896f5432b86548c7115ea988fdcdc17e

SHA1
7b949ecef060ea8613eb037fea26c838d4ff45bc

SHA256
84efc484fbf8009abd86b839fe2b0d7dacb6b05d47560969302411ba1f52f009

SHA512
159e8f2b9add061cb3cf5290574e768e6a89e15bb1292793d9ca874b0bee60c9b5116e0e9ef28be24ed7e82e4613b273adcce756f470f6d877098494bf5375e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
316af8ee4b5eb702a47667b67f946989

SHA1
b2ab9d7ca45f83984b18d4efa007dfc27d2a3537

SHA256
0b5c1d9adb835451c30fe0f9af015689d862a481c5bcacd398115eee1281647f

SHA512
3bc08c6c6c929d5dbbe3332a082201adf53d43f5290d0c1c4c9e178324529bc1b029c59ef808814f39ea10dab96304451fb1d9c0383e787b515321a60004abee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\89e706b456ff4f54b4259b9c4839e028\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
369c2cb8bf904840f8ba6f524e523aee

SHA1
ce850c5ad1b61d160e408e4a05a9d1c406e9be36

SHA256
6261e4df77ce4cda6633295511aa849bc8592b6200917058cb7bbe085a2a4f00

SHA512
586148167e0d56a34dd715e5819557aac750d2e18616e88789c6ab6b990323c6deebe912646132d768f6e3d3b328213748d34b4996b8f9f0589e371ee8c8ec35

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a7f6ccececd07fc64a2ac19959d5055d\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
cc4a9f3a51590cb4604428706373fec0

SHA1
6af9cc90acfe9fc6380671099b95559e8e7208fa

SHA256
66366d0971c935c9f2c8f51995a07f9b154f7f57c96a3683c1801bda5bc27483

SHA512
30fd2b0ffc617ba045563df63dee6b31b0c67c19aa4e77d7b4c319d9c2eaf672061f81b6bff72e74001eb411ff8b797633bfff62d7b084deddb075951cff6318

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b3c0e2a59dd543c74c4b0ab052afa95c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
4262cc1956820a5438b44ea90b5e16b1

SHA1
05eb22b8f85fbed4c15ca0a979f87f424f08257c

SHA256
cb79f80adb5403cbf723d90b2bceb7363feb8c4b58448e961c4115fbae4018ed

SHA512
79a35168ee6b3e2a3d266694da4cc9268ffefa9cb15df9b62db8b5b457790dbde58dc08ab736e6da576145d748761f33991b8fc016a20c631d4e75fdad64adc7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDBDE.tmp\ehiVidCtl.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
4c1b7b31fc5566d60c8b043ab5bad245

SHA1
3e349cbc0e7a5b835221c76621d0adab516446bf

SHA256
f68a7d89c7c0d67118b6f33db95566d6aca17f19a997ef1e5e83f9114b6369c8

SHA512
4348060220f67430dbea6dbae1a4807e6b6d9e24139c55b3ea0fd80505212e9570d50dc0173f78322f3dac860e04d044a0ce289d0ec5f6cced3eb0cd9528251c

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
e2771708b811d52f15217f4a63302ce1

SHA1
5f3ebcd06a5f5f4fc42b9e619882d9ab1952b523

SHA256
a0644e7b47d90bde4dfd35efb9564523f5668b14ebd010e4f11a35d59a0aee33

SHA512
92b0d7eb956c6a177b20faebcdf8a69c619096e2af03828b88085266d521c2deeed406134f6eb51418b3779b12b6ae6330ca7d68cbe5851c55da6f616c711883

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c3e4561f1607195b8546e0de78cf10fe

SHA1
560d7f041a3797c2796c928fa2fa492775ed5777

SHA256
9131e8e794c5f1d719fa402514bf5d71541512fc23e053c9c11d8f3b3c191632

SHA512
6ca46211de9cc124e3fae8da9445c2413dc4d9d034dae794e1e56a6214f640049082793498353a3fde9d77cde2cb52ac83f64da714bed2841efd6b1116402eb0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
f8ca6829e91cf2cf5db7c2c4feeeb035

SHA1
ebeb5954585effc0d865cfc59fc7d86d7b47e94b

SHA256
c2f67eb21997b506fc85c1f6904fe00c9f3d6aa3f3218bff089957636ac263d2

SHA512
6d38e955c8b1bd4463e7679e5da3bcdf152ca56e74f75c252aa92476a52f776deab0216f8f93ca2857a377454e89563b0b4a21f96b5a8ba175dfe28dabaf0954

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
1094fb858ae2916d63c0e7688d1b906a

SHA1
1f950f549e376b269adbf2e9d6058567dbe2f0f4

SHA256
31ac2118e4c8dce697c85a3e6f264b5a9c258beec20ede93d76f658f529a0a28

SHA512
9840d02cb7d42fe8072da9f5ecb922db4f8b107f4e1434c09856ffb1a62cb3eae36cc158a3226b842385a7a6580787c09e9b1205dc586af97b752aa02a5218e8

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ca96654ef6484be3fb36f001e6fbd53c

SHA1
bfb336cd05a7a2f35be8511053a12a8ce9afb768

SHA256
cd1f90675b82f40352a51d4489b8f6d27982bd405b714fd11f8a80a02103a3c5

SHA512
0c008c134551017b1be36a2117ce0443a28859a1da80e9f1da12dc0f0fb0a60bffac90329f119649e9abc3be18f536544b283e23c0ed0478d1f378fc416eee40

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
af35512fea0a00c4487b1ed3337e8977

SHA1
15aaed49a0dbfc67fa910b83f770fedec56e65ee

SHA256
61be3d7ac5908657141d66dcdd46a53d2f12580c3816f420c57e545dfd2a4bb5

SHA512
1a31a6b98e3efe8dc67ec52bf87a553285fbcd5aca2430577a038f8686ce9923e0c09774de79f5614468650c947fa9ee64b47f48f72956108b75b02be0f36b2b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3c4ef5540904c1a0f54b5a50188640b1

SHA1
b743171e9fea1e3a5ebfa3f9455e1d1e9d160add

SHA256
e735d350a69dd139fdfcd0a199e8cbce10e06ce2c8939d4599781856f58c88f6

SHA512
0cb9ad5eaaa17c302d630302d8201234b1a86a4cf5b5cc82420c67c0c7183a903f61fd5a2a3a08e557d046a2f511718ef4f63b41c5d78e17ede0cc1c98b899bd

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
b715877771476415d36c788df1e65d91

SHA1
029f573fc18ca29014133b63428e79cf0c95b15f

SHA256
da743a7522ce2e78c189112a99812664933fbf554cd3bd4c0dc8db9630137bdb

SHA512
ca7337fd4bf24c5028b0339426cc8b665d3ed3f826b348b99e0674e8dc6a82fe9d0ffb1617db801d9fbbd3a92ac228eb5e0f529b7364411df54dd55c76449861

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
9a205e6769699ef35a8e82942cfea237

SHA1
21c011ac684cf7737815a70b58a3c6f376f4a01a

SHA256
04058be5925e416dccd360c22741b977e751c1c9b391b956a222dd78082fe039

SHA512
7e62ae74bc34419a82db8db544e20a56b2b0160f4f2e6d51d38cb0f481da028abe3668819c06d7508b8be07d27048c4f989aead0f139483a8675dec73fe44184

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d1573e7a8f8cf9b7650a53d69a0facc9

SHA1
46f6b1c8b411678c5dd643245aee91f239b27b7c

SHA256
bd53a12ee373a792f930428a3af136c6f4f22a4f219dbebc179b9d9f58405e74

SHA512
521984341d54b3bbce1fbcdecd1383813472123afd7807f1fe793117a9dc6993eeca67ff81b86d7aaf8079b85ee24c00f6696a22e3ef4f2d22816f9b3280ce0d

Download Submit
memory/836-920-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/836-881-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/864-1077-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/864-1093-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1056-99-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1056-105-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1056-241-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1056-96-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1232-616-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1232-809-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1316-313-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1316-984-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1316-432-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1320-367-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1320-456-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1364-574-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1364-601-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1524-592-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1524-743-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1584-1032-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1712-649-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1712-844-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1740-79-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1740-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1740-9-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/1740-1-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/1780-340-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1780-434-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1796-1068-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1816-256-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1816-248-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1816-418-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1816-254-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1820-397-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1820-461-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1832-992-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1876-1096-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1920-510-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/1920-419-0x0000000000730000-0x0000000000879000-memory.dmp

Filesize
1.3MB

Download
memory/1920-522-0x0000000000730000-0x0000000000879000-memory.dmp

Filesize
1.3MB

Download
memory/1920-416-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/1960-772-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1960-732-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2008-34-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2008-27-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2008-26-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2008-126-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2028-871-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2028-654-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2040-653-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2040-550-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2088-511-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2088-637-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2148-876-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2148-846-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2208-378-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2208-410-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2216-130-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2216-133-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2216-138-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2216-412-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-294-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2220-287-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2220-272-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2220-430-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2264-970-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2264-1046-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2264-1035-0x0000000003D60000-0x0000000003E1A000-memory.dmp

Filesize
744KB

Download
memory/2280-614-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2280-492-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2404-1057-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2404-827-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2404-352-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2404-435-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2456-934-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2456-918-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2500-759-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2500-581-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2592-1001-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2592-1018-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2704-848-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2704-760-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2760-638-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2760-525-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2804-1080-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2840-60-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2840-65-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2840-74-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2840-269-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2892-870-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2892-879-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2944-591-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2944-457-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2992-951-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2992-458-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2992-579-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3020-627-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/3020-818-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/3056-121-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3056-85-0x00000000004F0000-0x0000000000556000-memory.dmp

Filesize
408KB

Download
memory/3056-87-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3056-80-0x00000000004F0000-0x0000000000556000-memory.dmp

Filesize
408KB

Download
memory/3060-310-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/3060-309-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/3060-338-0x0000000002680000-0x00000000028F0000-memory.dmp

Filesize
2.4MB

Download
memory/3060-73-0x0000000002680000-0x00000000028F0000-memory.dmp

Filesize
2.4MB

Download
memory/3060-61-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/3060-62-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/3060-564-0x0000000002680000-0x00000000028F0000-memory.dmp

Filesize
2.4MB

Download