c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Size

1.7MB
MD5

6f36e6da03eb62a52c3e68883b482921
SHA1

5c34272697226dc1eac33254017aacb3424db963
SHA256

c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5
SHA512

f7a600c3a8993b0ad8e82f164f12ab8fc32d7545fe86bd609fe5b4388e579e47a7877d71b4ff2bb047750c5ced0ef9d8334c4be9d388cc582ff1a6370f206a8b
SSDEEP

24576:5Wd7S8NK3oYLkTcDvebZI7LrS/85RkVt7jKsqjnhMgeiCl7G0nehbGZpbD:5KxNuLkTcKb4rSUfkVFjeDmg27RnWGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2704	alg.exe
2820	aspnet_state.exe
2580	mscorsvw.exe
2960	mscorsvw.exe
516	mscorsvw.exe
2000	mscorsvw.exe
1200	ehRecvr.exe
1552	ehsched.exe
1500	elevation_service.exe
1936	IEEtwCollector.exe
2664	GROOVE.EXE
1264	maintenanceservice.exe
2424	msdtc.exe
2724	msiexec.exe
2780	OSE.EXE
2404	perfhost.exe
1944	locator.exe
3008	snmptrap.exe
764	mscorsvw.exe
2372	vds.exe
2064	vssvc.exe
1752	wbengine.exe
2944	WmiApSrv.exe
700	mscorsvw.exe
2980	wmpnetwk.exe
2340	mscorsvw.exe
3064	SearchIndexer.exe
2716	mscorsvw.exe
2244	mscorsvw.exe
2880	mscorsvw.exe
2016	mscorsvw.exe
828	mscorsvw.exe
1884	mscorsvw.exe
1216	mscorsvw.exe
1840	mscorsvw.exe
2880	mscorsvw.exe
940	mscorsvw.exe
2940	mscorsvw.exe
2996	mscorsvw.exe
2572	mscorsvw.exe
2452	mscorsvw.exe
1820	mscorsvw.exe
2616	mscorsvw.exe
288	mscorsvw.exe
1484	mscorsvw.exe
880	mscorsvw.exe
1160	mscorsvw.exe
2272	mscorsvw.exe
288	mscorsvw.exe
1180	mscorsvw.exe
836	mscorsvw.exe
1068	mscorsvw.exe
2536	mscorsvw.exe
2560	mscorsvw.exe
2356	mscorsvw.exe
2616	mscorsvw.exe
2380	mscorsvw.exe
1952	mscorsvw.exe
2480	mscorsvw.exe
2512	mscorsvw.exe
2344	mscorsvw.exe
1748	mscorsvw.exe
288	mscorsvw.exe

Loads dropped DLL 56 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2724	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
756	Process not Found
2560	mscorsvw.exe
2560	mscorsvw.exe
2616	mscorsvw.exe
2616	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
2028	mscorsvw.exe
2028	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
1124	mscorsvw.exe
1124	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
2528	mscorsvw.exe
2528	mscorsvw.exe
2988	mscorsvw.exe
2988	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
1712	mscorsvw.exe
1712	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
2836	mscorsvw.exe
2836	mscorsvw.exe
2940	mscorsvw.exe
2940	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\System32\vds.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\99bb6f1b5f6c6349.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCA90.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD00C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC774.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC2A3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAFBF.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA4A8.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBE6F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B4E.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB05.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C30D77C3-819E-4839-B876-5307B2455AF1}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000eb48fde281db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2436	jp2launcher.exe
880	ehRec.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	572	EhTray.exe
Token: SeIncBasePriorityPrivilege	572	EhTray.exe
Token: SeDebugPrivilege	880	ehRec.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeRestorePrivilege	2724	msiexec.exe
Token: SeTakeOwnershipPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	572	EhTray.exe
Token: SeIncBasePriorityPrivilege	572	EhTray.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeBackupPrivilege	1752	wbengine.exe
Token: SeRestorePrivilege	1752	wbengine.exe
Token: SeSecurityPrivilege	1752	wbengine.exe
Token: SeManageVolumePrivilege	3064	SearchIndexer.exe
Token: 33	2980	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2980	wmpnetwk.exe
Token: 33	3064	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3064	SearchIndexer.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Token: SeDebugPrivilege	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Token: SeDebugPrivilege	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Token: SeDebugPrivilege	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Token: SeDebugPrivilege	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	2704	alg.exe
Token: SeShutdownPrivilege	516	mscorsvw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
572	EhTray.exe
572	EhTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
572	EhTray.exe
572	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2436	jp2launcher.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
2436	SearchProtocolHost.exe
2436	SearchProtocolHost.exe
2436	SearchProtocolHost.exe
2436	SearchProtocolHost.exe
2436	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
996	SearchProtocolHost.exe
2436	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2744	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe	32
PID 1764 wrote to memory of 2744	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe	32
PID 1764 wrote to memory of 2744	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe	32
PID 1764 wrote to memory of 2744	1764	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe	32
PID 2744 wrote to memory of 2436	2744	javaws.exe	63
PID 2744 wrote to memory of 2436	2744	javaws.exe	63
PID 2744 wrote to memory of 2436	2744	javaws.exe	63
PID 516 wrote to memory of 764	516	mscorsvw.exe	54
PID 516 wrote to memory of 764	516	mscorsvw.exe	54
PID 516 wrote to memory of 764	516	mscorsvw.exe	54
PID 516 wrote to memory of 764	516	mscorsvw.exe	54
PID 516 wrote to memory of 700	516	mscorsvw.exe	59
PID 516 wrote to memory of 700	516	mscorsvw.exe	59
PID 516 wrote to memory of 700	516	mscorsvw.exe	59
PID 516 wrote to memory of 700	516	mscorsvw.exe	59
PID 516 wrote to memory of 2340	516	mscorsvw.exe	61
PID 516 wrote to memory of 2340	516	mscorsvw.exe	61
PID 516 wrote to memory of 2340	516	mscorsvw.exe	61
PID 516 wrote to memory of 2340	516	mscorsvw.exe	61
PID 3064 wrote to memory of 2436	3064	SearchIndexer.exe	63
PID 3064 wrote to memory of 2436	3064	SearchIndexer.exe	63
PID 3064 wrote to memory of 2436	3064	SearchIndexer.exe	63
PID 3064 wrote to memory of 2884	3064	SearchIndexer.exe	64
PID 3064 wrote to memory of 2884	3064	SearchIndexer.exe	64
PID 3064 wrote to memory of 2884	3064	SearchIndexer.exe	64
PID 516 wrote to memory of 2716	516	mscorsvw.exe	65
PID 516 wrote to memory of 2716	516	mscorsvw.exe	65
PID 516 wrote to memory of 2716	516	mscorsvw.exe	65
PID 516 wrote to memory of 2716	516	mscorsvw.exe	65
PID 516 wrote to memory of 2244	516	mscorsvw.exe	66
PID 516 wrote to memory of 2244	516	mscorsvw.exe	66
PID 516 wrote to memory of 2244	516	mscorsvw.exe	66
PID 516 wrote to memory of 2244	516	mscorsvw.exe	66
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 3064 wrote to memory of 996	3064	SearchIndexer.exe	68
PID 3064 wrote to memory of 996	3064	SearchIndexer.exe	68
PID 3064 wrote to memory of 996	3064	SearchIndexer.exe	68
PID 516 wrote to memory of 2016	516	mscorsvw.exe	69
PID 516 wrote to memory of 2016	516	mscorsvw.exe	69
PID 516 wrote to memory of 2016	516	mscorsvw.exe	69
PID 516 wrote to memory of 2016	516	mscorsvw.exe	69
PID 516 wrote to memory of 828	516	mscorsvw.exe	70
PID 516 wrote to memory of 828	516	mscorsvw.exe	70
PID 516 wrote to memory of 828	516	mscorsvw.exe	70
PID 516 wrote to memory of 828	516	mscorsvw.exe	70
PID 516 wrote to memory of 1884	516	mscorsvw.exe	71
PID 516 wrote to memory of 1884	516	mscorsvw.exe	71
PID 516 wrote to memory of 1884	516	mscorsvw.exe	71
PID 516 wrote to memory of 1884	516	mscorsvw.exe	71
PID 516 wrote to memory of 1216	516	mscorsvw.exe	72
PID 516 wrote to memory of 1216	516	mscorsvw.exe	72
PID 516 wrote to memory of 1216	516	mscorsvw.exe	72
PID 516 wrote to memory of 1216	516	mscorsvw.exe	72
PID 516 wrote to memory of 1840	516	mscorsvw.exe	73
PID 516 wrote to memory of 1840	516	mscorsvw.exe	73
PID 516 wrote to memory of 1840	516	mscorsvw.exe	73
PID 516 wrote to memory of 1840	516	mscorsvw.exe	73
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74
PID 516 wrote to memory of 2880	516	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
"C:\Users\Admin\AppData\Local\Temp\c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Java\jre7\bin\javaws.exe
  "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files\Java\jre7\bin\jp2launcher.exe
    "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 258 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 264 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 264 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a0 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 218 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 240 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f0 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 29c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 29c -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1c4 -NGENProcess 248 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 248 -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2b4 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 1f0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 1e8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e8 -NGENProcess 2b4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2ac -NGENProcess 1c4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1c4 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2b0 -NGENProcess 2b4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 240 -NGENProcess 2a0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 2ac -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 240 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 284 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2bc -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b0 -NGENProcess 218 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 284 -NGENProcess 2d0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2ac -NGENProcess 218 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 28c -NGENProcess 218 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 218 -NGENProcess 2d4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 28c -NGENProcess 2e8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2b0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d0 -NGENProcess 2fc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 304 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e8 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f0 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e4 -NGENProcess 2fc -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b0 -NGENProcess 314 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 31c -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 314 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 330 -NGENProcess 32c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 31c -NGENProcess 314 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 32c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 340 -NGENProcess 350 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 330 -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 358 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 2fc -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 35c -NGENProcess 330 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 328 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 330 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 368 -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 328 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 384 -NGENProcess 358 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 384 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 358 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 384 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 398 -NGENProcess 394 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 330 -NGENProcess 384 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 384 -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a8 -NGENProcess 394 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 394 -NGENProcess 330 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b0 -NGENProcess 39c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a8 -NGENProcess 3b8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 37c -NGENProcess 39c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3bc -NGENProcess 3b0 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c4 -NGENProcess 39c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a8 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d0 -NGENProcess 3cc -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3bc -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c0 -NGENProcess 3c8 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3e4 -NGENProcess 3dc -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:1060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:2884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
28befc0d73e7fcd09e07f54e74668c3a

SHA1
80a12462fffe17c57a0b2a89dcb804e032343f8d

SHA256
9c915ef85d6029e61e5e7462dc8d83362b110b6b6e8c9f6eba5b4f78ee436893

SHA512
ae99af1eed71cb1dd9f661bac4e020e688842d36a048a3fc2486ca0e8ca92e6ba2d0cb9cf92e1bbefde82e46473344967466108fb8eb75b57f272bf36b9fe567

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5d0539870f11932298941c89906fc7bf

SHA1
9bec77cb20bf1cc286eb470a652df64c1798ce3c

SHA256
98ae3982c94030661120ef27d40fb2ebc6bee2f731475b937fd7b474f39b2f6e

SHA512
e5a5c2cf2d498040fa1c75a8502ad0f10bfd9d32aa7e41b4147c8158530300f53c4c386922badb302db459d84d675364dbcea0fcb4d8beed0ad13afe6be937ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
91d082553e1ecb7b6c46e313ef57979a

SHA1
421c3dedc7782c3b5064e6ac4dbd67d02467ac89

SHA256
50ac5569e7f5fb84a9db8d4402287941d409ad270e2eedeb5552f62d6fd44e3a

SHA512
bab03df36d3234bca90f4ba8bf631ef06afa29ae62277a44e9ceef041a963de21837cf650e4aaa3de5151004008e29edbe5649784f55e376d1064b99b491033d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
02dc7b09be116919ed3f9b5436ffce69

SHA1
9b7eacc9cbcd08f9b7a392474f62984ccd0ff150

SHA256
449cb59b4fcbcb4ca9f892b4e2e663ce3b0a73f74b2f46039da47a29a2110c10

SHA512
49c679a65d0875e98d595ed592e0790dfed774222c0c8f8cb098fe81a009dfdb77f7e13434292263cf9e17173a58585ebe0aafc089a790590902a2a71fdb7f4c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-4a168874

Filesize
12KB

MD5
f9e48186bd918afaf08544e709341184

SHA1
978f291344ab0d51dddcb661dbf05034073f15aa

SHA256
32ec1dd00faab8c0fbd489644fef40f70a509fbdb578e1b9854876f380572ca4

SHA512
f735a4d6dd3620a51c2e1454c2a105c83b76bf26b5f9f1df3ce79308b56c6a9789ed49e527eedbb1723714fffaac247b374f2f188dcdf53249fd65214e8dbb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
685B

MD5
35ccc2008001a9b13d66357e0e18c04f

SHA1
73e9328598d1955cf7c316b749344e1efc7fd1f7

SHA256
58cea147cc58e3e003f7735dcdf7deaa3290ae0491065c5abd006215e6aad173

SHA512
f5031f9ae2701718e4bec5ad9a05102fa48f2f677143c7fc295a2c2153f2fdd25ab7894a2abd9b5f0d3cf06e90587948db025f3562385b836c7fc75280b59ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache3320351896179464321.tmp

Filesize
12KB

MD5
f47403fc5f6534d1eb5e6a4088c86d84

SHA1
ed2116d28be10439a9f35145a21535ecfba196f5

SHA256
ec77ef8b1cbf32edf02950406ca4fcb7edcef00bf498b1a714d734363881b97a

SHA512
937af202eedc100d0cd146554cbd2a98c580210ece2f0e92a1f7d6d1dfc49cd9f0e47867e707fb6e57725ae62210d38af2df25062ac838e3ac42b3b4c37ec90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
dac0c3f2b37058d6a44d4db246d90098

SHA1
275fc844efe8d2007873e2ee4ca6acf18c5e598e

SHA256
fa57527b562c6ef385667fc05b51f8afe264eb79973b9e155cfc66cd5734dc15

SHA512
90db1f040c85b4ee93c14852fe858964dcdbfc6950ebf7eefcec26271d1043ac59dd920a85ebe891a8209e6602b1b24fa5ce564e491e763cdd3801ffd1c2520e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3553c679922db2e988d74cbaca740156

SHA1
5eebcdbb4916fda11b6cf9ee64df427916d55f8b

SHA256
cd02a2c6b57898a7dea5e95508cf03124f1d746c2e774cbd3b7eaf45d06d1058

SHA512
344ae2ecb8a75f4d4c3d5c4b4dbc47e402368835eb95426d37b2bfe4d73cf3306146c4aa13827fa32e8a7fdb911682470ed2d066a2f1ed528c858db43bf51d1b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7f1e12cf2ad0e314850d0d255e37e67f

SHA1
7919c7e0031eaec238b58109ce98567a3e35e4e1

SHA256
016bc52abf5f4d8f00dcafcdddac657d408bb63faf8b3a9d5fbb89717bae3582

SHA512
27c240a16e8d69aa6fc619935fc5efa8806e212ee5b834553260a1f0b75136b902e566b4fc8713612399f11c9148e0925514393d6ec2c07779183048f4cc472a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
5d63ad83c03bada8785316f2aa842731

SHA1
968a95116bafd1b5f5aeaf673fe02df76d4cb5a1

SHA256
2ee2a8b33cbf33f654db560f92d71efc090c954740e83694f6fdf4e09ca8c1cc

SHA512
f10a78564031500e83b9ea8c01acc71767bff9013e29ffb9b3058d0d629256157cef0e0a19f430bf3a11c0e45cebf952bdae3df77fd2ba29798fea0d0608c0ac

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
845183ba6f5cf6e19e2f77108798d8d5

SHA1
4d0c92e32585eb30dddaf0fcb16e30c00523a5f7

SHA256
519aa32b6547349907c3104db18754086d66257b690ca8edb4105ff01024dea9

SHA512
7a6c11de5eff50e380fab6faeb26d4014292591e92ee9252d16670ef811d1c1f4dce447fcaff1de9cabf20519825c0157d8740b4479605cf57b151aff55ce5e8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1b713e17d5e0df6a7e90ee3bcb59ea12

SHA1
98e927ae70d9b2add0fb5f8cf2ba799c5682016f

SHA256
b0923d7be700cf36f70f09fc231fb301b8ca6449bc836aed3f7e5a6ba127e0d4

SHA512
50578c2c99710fcec00fc9782a443758ae253dcb8e9f2201c673f8d3763b6df081d82bd7030cf42268413a9658fbaa5a624d0d18793f3598535a72073acf3048

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
46dd16057a43c32043f445f2876c23b1

SHA1
29ae59ccc97e0b108af453531200ca9667d7ef22

SHA256
11d5305c4725da28e9b14897b6b28e9708b4838642cf40643e7eed57e7062721

SHA512
64184bd0914eb656d2c0aab47d5ac082239d3b92755a0e519080d5e70a735de2c03dd7a4eabcc747fa3d503643a31cbde58dd6324dec90dcf43631b85ba4120b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4be825489167eb8e8c6cb87f41773feb

SHA1
ac1c79f4f37c65844172aeb8292e6a2f4d463ee3

SHA256
aeafca802de397b09b63c9bd3c8cea89685f6181190115e6000570749ab3eee4

SHA512
840ee5e35924b6e6123b05060e6c97bf37d6994d85e0b026b3ad3deb472b7db0a952238909464d78fdd59e08fd4c0b84e0bdb725a654931aee24a7ade3a3a5a0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
dd15d708132663e84758f43ba4e11328

SHA1
a86dcab0c4a64ed0be050f5f8ee7ffae7d439368

SHA256
94a48b1bdade34e52154c8163d6eb86efe238e1de1ebf456c3c549d57d5796e7

SHA512
645790fba5416da1ed0c50852a519ad2bb764f4252dbce94b9fad5df2917b0d4333868b30ca9a4171b0580a21faf5b32f030522b1f0b7d6c87f7cb0f4ac9ef52

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
2603c04c84925a42effe2c7b7de4659a

SHA1
dbf9ccf1d938ae2cdedd773d8ac2e621ff55447e

SHA256
51e6887f22c0c79c39928bae6ff3bcc772cdba2d45b6d8b00d4b897bdedacdce

SHA512
820c083836e4844125cc4eafe0a576acfc6caae454e700a36df0fc73e15eb1d96910daad13cc480ea5c7d25972eebf6555e8e99f0ee3604d36f463114e9bfec6

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
d100748d35c83e235657adaaa3bea960

SHA1
6984aeb77c8aea39f223e0852b76c677b90b19b6

SHA256
aa7d9269cb249d90f8829485d0b9a42af8994a7da1cf3eab70dc5fba4c11152d

SHA512
86d114a8f327b974d75b91591e1d913d52f3ddbf94232416ebc7fb38b0966c6e761e9e6938e45a7ea4d496a74a58b4947e31560341d52e3ed302f53fabad9782

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
40fb5afb48c4d90bafe0af3fb71bf7f5

SHA1
1778ea331c2fa7a8b437143369de22800bc48127

SHA256
e2db2b1e94f69cee94ad83e62b236c393461c4a56bd8f69601ba077745019854

SHA512
f17472e92641207dcccbb7bed3460a8c1d204236a94d66b5ceae087bdbb5f78e02087f8d435774902a277a32e9b4de4a51327ae2cd6ab3ca3f8cc458aa06b87d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
7ea895775c6705caf4f82b3211562c1e

SHA1
2dd96413b56776c9fcaed4f0d294fe0c3127a89c

SHA256
a266c20332aeff4bc51585a398080d5c2adc133a922ad0ee624eb1b212e7dca2

SHA512
f19812b34ec4d245d2667bbc3e7a38eb9c14e0a98df5706b67c66e07c4a739b43fc50c973dca2c2a8c26b07c63e4ed81138240f76473bf545ae15ac3ee5a811f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\44580c91d1cb24c544633046ee2b6d4d\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
8202e0a37956c2d06c19516b892e1612

SHA1
d3a9c49ab1780744b7cee138125838d3bf6fea9d

SHA256
ceddb08a7191ed70d235de14a2bb8d81f97158295ae882f00a3c148f90162d2d

SHA512
415dfafede4eaef27c7e029173a24bf5aa23f3ae3eb989ea8cf97a3ab8165f9c6f1b0c4aebe3cd31dd10396b2acf73b4fab9a91f147f15ea03982b288f11bbbc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7166a1df9c92de5d5e2de32217d86c27\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
c66df8f69aa1f52283e909fb1f38b5c2

SHA1
fd1e0eff10253f0fd5c28f391c9c56821a117df5

SHA256
9894cd08fe89d019945f23f24f25e6ff7614a9823f92d2a17c64926c31b32293

SHA512
ad874c22cc0e0cdb1ce3844526aa8d69b038667f2d4c7891c8f3ac67f823b7f15e60e3ab13a977e0b536a2576fcb0b7bb6c4245fb6f9f1db10f5de73cb1a60fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c9d7a1c69c969fa7abc997b7881a73d5\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
b953ec5003213f852c36704912509add

SHA1
16f7aceea1cdaf6eb67b749815d5e118ee8cf27d

SHA256
0736b2f429425f262ed1fde009586ca5415a9e04ec950e4c1ccbcb21b6eaa4a5

SHA512
5734f552d856ba3e6f8926628fe3f4d4217d3ad3d97dd8a090a28b8622a8fd7e8a9a3572e391c05556b512b20cb268b19b09989331ce3426b97d427f5dc02f5a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5cbb317d2f9234ebd8f3e13a8fb0c9df

SHA1
3dade6fafba6f06586d4dfa628fe652c0a5105f6

SHA256
812b6dc0be5e1ed50b5c75f0da03e44938196ddadd34c27d293aa418bc1c0820

SHA512
3ed868d29782c9e269d0b75b9434f4806ace89953791f3ca815b83177874e78c5b6707026ae35935ce4306815b1bb9e4cb71bb1f24c9f9e666003bda3c64a73c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
a3e7f4b9a602c7ddb2c4e138f5be35ca

SHA1
72859e04456e7b07a2c24bf47c0b56415bc95cf0

SHA256
6d3e001153fa1152e9935b030dc45c0d6c68476aa837665b4baeb824171ff959

SHA512
90d8bc44278626e6f44b36fee0c908f8405ffd57e82648a32035e74502521f35dd1962e3f5d23a7ae3835f0700d92d260076a75467de8d29a3ca9efcd3a8bcfa

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
51388cb764a83aa8ba29cd51a4787379

SHA1
dd485d4843f1cc8adb9e669f3a6f31cd590eab58

SHA256
4d3c0895c7f6d7cc1f1a8125c8e2ac6b6a1df4821a0afff6226e3ce7942a8518

SHA512
7937f00eed84efb1451bacbfa54aa60570350a803541fc8d4297cf1a7df23235caf15c3e183097fcaecaf50df25d769fb352f00d2d9950f7a636f857c242ed1a

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6fc76e5c6fa711d1f04c273108993973

SHA1
c7a150553873c6d010f688edae622a60e15f1551

SHA256
dc311458eacf4de2b773aa36888ce394ae7913e12f448d59f92102b87fb93b66

SHA512
fa74cf41694b24a7140916497dd678f710f5510e9f33b92a2975837809a97654abb04a51eae3623e80541b2258f560aa1e64bf24501b4aeaaa96261c405802af

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a952076270ca38064b37c163e0064d5b

SHA1
580db726da010f67d2c19dce1b7bc75b55893db9

SHA256
23162c10fa5ab4e8f10091a1db5abe5c3c006c1bfe3cee4289c6c4ca638728d9

SHA512
1d5b13d476a58ef5d4dd5d60c9d9d3e5b049b9e587f2941f55128064de4eb7d625de3bd94c8cc392da78dff1653b0241b4c9ad5ea080ede78f7d11946d6801cd

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c1270aa80804e3a012b6a0fe927a9129

SHA1
0281e9f92b72d97441b2caa2eece4d961812b810

SHA256
d649b56a4c97dc905ab1b862770a595349826a1dcbb5466e3964273a3558802a

SHA512
be0d2d14541375d21c6d08d538b34631a1c113dc2e5a2fad8b9eae6d8a471297439bd30da0f8d8951f3479116c10ce673adeedb53441a66eabf2082501a0d117

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
810fd0713a796eb85485b0034125368d

SHA1
d3831e340807c99c714efa10e4bbcfc4dcc29ef2

SHA256
8015d4d7f1d2f00e0badb573960dd6f4007649199a64c18807c32643ccc51e61

SHA512
22e74d1a2cf958cc729d22ee081383012f4d80fd3318f5eee5eea094ffa87c38cf3762a2331925ab579ff2b56aecae998cf42467f5fb81c607302b0ea041d803

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
05150eed820e8d03076f26f9be21bb9d

SHA1
84681454a1855d4f7da2d11f8e51658231cd290c

SHA256
fbafb327259e4538d413f53a1ca2697ce61724889cadd94b53b0c40da8badc05

SHA512
63a6e9a145095c5ff8e232d133e3cd31315dc966091dc9f8c17ac471e6a51beedeac050104676efe37dc859c4992e126e85abc86d5e1d2b6a04da65f37843527

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
2bc9f0cd4a4ef0fa63a7ee3653059a0b

SHA1
1915da7907574b07319bee7e2e32beeaec875fed

SHA256
5e44bbc0a5e98aa547b0da0e4ed7d0fec544fabf26ca20bc8b08cbdc9cf62370

SHA512
b0db70b2eb84f64f1d856ca4795742c031e565e6a1a81c1357c10d575d0a2b42b4c3b29ef9e88e445b719f27938ee9c51882184cb3485117bccf1c97c7d7cc32

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
42499528965a522e02fdf1372924bbd5

SHA1
6b88bb27f6e2c914c7e3bf6500bf3e322e69fb8d

SHA256
8170daf2228c80a7762fbf6598f28446ea1ae838b3d946fb7d57f9f843c675b4

SHA512
8b83fa1218b7c3eb306ddcf678738b73187fef07774fd5591982945dc28a3c705ffba53575a126dda38aedbd604c3e62a56ffa864b2b37dfa41fea18865005a2

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f6f29c738379ad8f984103eb6385e506

SHA1
7b3f56d111e64943b2c5d9e5cee241207d71b506

SHA256
e23f59c0bb3f9a592a008905f1c578c92b7b5912446dbb4a771ec998a8349c0f

SHA512
3cf17a2b98cebefba1f57bffd1e9ed1cf5a7d44ac1b14b33fcc9d1498dd4d393f6e6bf65bd976a4595e3090aba0762917401033c2fdd8f461a66c0cfc25b4e7e

Download Submit
memory/516-1226-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/516-106-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/516-1234-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/516-1232-0x0000000001D50000-0x0000000001DD8000-memory.dmp

Filesize
544KB

Download
memory/516-1231-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/516-373-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/516-103-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/516-1230-0x0000000001D50000-0x0000000001E3C000-memory.dmp

Filesize
944KB

Download
memory/516-1229-0x0000000001D50000-0x0000000001EEE000-memory.dmp

Filesize
1.6MB

Download
memory/516-1233-0x0000000001D50000-0x0000000001D74000-memory.dmp

Filesize
144KB

Download
memory/516-1235-0x0000000001D50000-0x0000000001D7A000-memory.dmp

Filesize
168KB

Download
memory/516-1228-0x0000000001D50000-0x0000000001DF4000-memory.dmp

Filesize
656KB

Download
memory/516-1227-0x0000000001D50000-0x0000000001DDC000-memory.dmp

Filesize
560KB

Download
memory/516-1236-0x0000000001D50000-0x0000000001DB6000-memory.dmp

Filesize
408KB

Download
memory/516-1224-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/516-1225-0x0000000001D50000-0x0000000001D6E000-memory.dmp

Filesize
120KB

Download
memory/516-111-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/700-580-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/700-643-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/764-465-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/764-582-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/828-827-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/828-812-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1200-146-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-138-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1200-414-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-1179-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-164-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1200-144-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1200-165-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1216-871-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1216-855-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1264-503-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1264-345-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-183-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1500-190-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1500-439-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1500-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1552-176-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1552-170-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1552-417-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1552-1076-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1552-178-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1752-776-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1752-532-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1764-7-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1764-85-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1764-5-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1764-0-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1764-6-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1840-886-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1840-872-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1884-838-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1884-859-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1936-1132-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1936-461-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1936-209-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1944-440-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1944-645-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2000-129-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2000-128-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2000-121-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2000-396-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2016-822-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2016-807-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2064-516-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2064-764-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2244-763-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2244-789-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2340-638-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2340-751-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2372-506-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2372-736-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2404-418-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2404-639-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2424-515-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-352-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2436-62-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2436-61-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2580-75-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2580-67-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2580-69-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2580-92-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2664-463-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2664-341-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2704-35-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2704-26-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2704-34-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2704-137-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2716-748-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2716-754-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2724-371-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2724-566-0x0000000000590000-0x0000000000781000-memory.dmp

Filesize
1.9MB

Download
memory/2724-531-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2724-380-0x0000000000590000-0x0000000000781000-memory.dmp

Filesize
1.9MB

Download
memory/2780-578-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2780-398-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2820-204-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2820-60-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2880-802-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2880-792-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2944-791-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/2944-567-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/2960-86-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2960-97-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2980-805-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2980-621-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2996-921-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/3008-648-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/3008-464-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/3064-837-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3064-646-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download