daeadabdc016ed4d3e4479fe2070b1a43c626c8f4196c4b94513df3c2842a714

Analysis

max time kernel
140s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
Size

936KB
MD5

0e8ee9e0cbcce80658157408d61df81a
SHA1

2678164961be5ab203d00ea6afda44e43459d9a1
SHA256

daeadabdc016ed4d3e4479fe2070b1a43c626c8f4196c4b94513df3c2842a714
SHA512

83b004a9278ec5bb0a883d2e74d0d3809e4dfd837d0f605b6839c1ef2061bed1daacb4195fbe1f3ac6a76221545723551eef62707cf76a4393af35e8c9eab30a
SSDEEP

24576:PPkMojzaWXFol/j0CfQfHEB/kxOTx5mTJnxl9oZluDpCmEJ:3EnaWG/f+HEB0OTx8LLoZluFCmEJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exedllhost.exemsdtc.exemsiexec.exemscorsvw.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
3048	alg.exe
2616	aspnet_state.exe
2588	mscorsvw.exe
2452	mscorsvw.exe
1116	mscorsvw.exe
1592	mscorsvw.exe
1896	ehRecvr.exe
1724	ehsched.exe
2256	elevation_service.exe
2928	IEEtwCollector.exe
3056	GROOVE.EXE
1252	maintenanceservice.exe
608	dllhost.exe
1508	msdtc.exe
2476	msiexec.exe
1716	mscorsvw.exe
2512	OSE.EXE
2484	OSPPSVC.EXE
2348	perfhost.exe
1672	locator.exe
2600	snmptrap.exe
2004	vds.exe
1100	vssvc.exe
2976	wbengine.exe
2852	WmiApSrv.exe
2344	mscorsvw.exe
980	wmpnetwk.exe
1960	SearchIndexer.exe
2532	mscorsvw.exe
1548	mscorsvw.exe
2412	mscorsvw.exe
2576	mscorsvw.exe
2508	mscorsvw.exe
1060	mscorsvw.exe
2248	mscorsvw.exe
2372	mscorsvw.exe
2200	mscorsvw.exe
2504	mscorsvw.exe
2680	mscorsvw.exe
1692	mscorsvw.exe
2988	mscorsvw.exe
1716	mscorsvw.exe
1060	mscorsvw.exe
2036	mscorsvw.exe
1304	mscorsvw.exe
2984	mscorsvw.exe
2988	mscorsvw.exe
2824	mscorsvw.exe
1000	mscorsvw.exe
3040	mscorsvw.exe
800	mscorsvw.exe
1068	mscorsvw.exe
2924	mscorsvw.exe
1700	mscorsvw.exe
1060	mscorsvw.exe
1812	mscorsvw.exe
920	mscorsvw.exe
2416	mscorsvw.exe
340	mscorsvw.exe
1724	mscorsvw.exe
2232	mscorsvw.exe
1956	mscorsvw.exe
1720	mscorsvw.exe

Loads dropped DLL 53 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
2476	msiexec.exe
468
468
468
468
468
764
1812	mscorsvw.exe
1812	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
1956	mscorsvw.exe
1956	mscorsvw.exe
2940	mscorsvw.exe
2940	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
2544	mscorsvw.exe
2544	mscorsvw.exe
2092	mscorsvw.exe
2092	mscorsvw.exe
1012	mscorsvw.exe
1012	mscorsvw.exe
1072	mscorsvw.exe
1072	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
952	mscorsvw.exe
952	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
2372	mscorsvw.exe
2372	mscorsvw.exe
1296	mscorsvw.exe
1296	mscorsvw.exe
1156	mscorsvw.exe
1156	mscorsvw.exe
616	mscorsvw.exe
616	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

Processes:

mscorsvw.exe2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exeaspnet_state.exemsdtc.exeSearchProtocolHost.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\15856ef5ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exe2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA0B2.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8DADDD65-3C78-4211-AF6B-D35912CCB334}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6BBE.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58BB.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3E77.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5ACD.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4FD5.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36BA.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4DB3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C0E.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000108d45938299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2768 ehRec.exe
2616 aspnet_state.exe
2616 aspnet_state.exe
2616 aspnet_state.exe
2616 aspnet_state.exe
2616 aspnet_state.exe

pid	process
2768	ehRec.exe
2616	aspnet_state.exe
2616	aspnet_state.exe
2616	aspnet_state.exe
2616	aspnet_state.exe
2616	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1368	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: 33	1524	EhTray.exe
Token: SeIncBasePriorityPrivilege	1524	EhTray.exe
Token: SeDebugPrivilege	2768	ehRec.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2616	aspnet_state.exe
Token: 33	1524	EhTray.exe
Token: SeIncBasePriorityPrivilege	1524	EhTray.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeBackupPrivilege	1100	vssvc.exe
Token: SeRestorePrivilege	1100	vssvc.exe
Token: SeAuditPrivilege	1100	vssvc.exe
Token: SeBackupPrivilege	2976	wbengine.exe
Token: SeRestorePrivilege	2976	wbengine.exe
Token: SeSecurityPrivilege	2976	wbengine.exe
Token: SeManageVolumePrivilege	1960	SearchIndexer.exe
Token: 33	1960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1960	SearchIndexer.exe
Token: 33	980	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	980	wmpnetwk.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeDebugPrivilege	2616	aspnet_state.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeDebugPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe
Token: SeShutdownPrivilege	1116	mscorsvw.exe
Token: SeShutdownPrivilege	1592	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1524 EhTray.exe
1524 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1524 EhTray.exe
1524 EhTray.exe

pid	process
1524	EhTray.exe
1524	EhTray.exe

pid	process
1524	EhTray.exe
1524	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
1160	SearchProtocolHost.exe
1160	SearchProtocolHost.exe
1160	SearchProtocolHost.exe
1160	SearchProtocolHost.exe
1160	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
2964	SearchProtocolHost.exe
1160	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 1116 wrote to memory of 1716	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1716	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1716	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1716	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2344	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2344	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2344	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2344	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2532	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2532	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2532	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2532	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1548	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1548	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1548	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1548	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2412	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2412	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2412	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2412	1116	mscorsvw.exe	mscorsvw.exe
PID 1960 wrote to memory of 1160	1960	SearchIndexer.exe	SearchProtocolHost.exe
PID 1960 wrote to memory of 1160	1960	SearchIndexer.exe	SearchProtocolHost.exe
PID 1960 wrote to memory of 1160	1960	SearchIndexer.exe	SearchProtocolHost.exe
PID 1960 wrote to memory of 1344	1960	SearchIndexer.exe	SearchFilterHost.exe
PID 1960 wrote to memory of 1344	1960	SearchIndexer.exe	SearchFilterHost.exe
PID 1960 wrote to memory of 1344	1960	SearchIndexer.exe	SearchFilterHost.exe
PID 1116 wrote to memory of 2576	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2576	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2576	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2576	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2508	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2508	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2508	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2508	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1060	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1060	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1060	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1060	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2248	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2248	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2248	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2248	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2372	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2372	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2372	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2372	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2200	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2200	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2200	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2200	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2504	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2504	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2504	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2504	1116	mscorsvw.exe	mscorsvw.exe
PID 1960 wrote to memory of 2964	1960	SearchIndexer.exe	SearchProtocolHost.exe
PID 1960 wrote to memory of 2964	1960	SearchIndexer.exe	SearchProtocolHost.exe
PID 1960 wrote to memory of 2964	1960	SearchIndexer.exe	SearchProtocolHost.exe
PID 1116 wrote to memory of 2680	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2680	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2680	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 2680	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1692	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1692	1116	mscorsvw.exe	mscorsvw.exe
PID 1116 wrote to memory of 1692	1116	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e0 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 270 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 1d4 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 248 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 24c -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 1e0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 27c -NGENProcess 2b0 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2ac -NGENProcess 298 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d4 -NGENProcess 26c -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 26c -NGENProcess 1d0 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e0 -NGENProcess 2ac -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 2ac -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2ec -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e0 -NGENProcess 2c4 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f4 -NGENProcess 2ac -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2ac -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2fc -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2ec -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 26c -NGENProcess 2f4 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 30c -NGENProcess 31c -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 24c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2f4 -NGENProcess 318 -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 324 -NGENProcess 31c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 24c -NGENProcess 32c -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 310 -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 328 -NGENProcess 334 -Pipe 24c -Comment "NGen Worker Process"
2⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 314 -NGENProcess 31c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 330 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 340 -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 340 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 34c -NGENProcess 314 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 314 -NGENProcess 32c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 354 -NGENProcess 318 -Pipe 330 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 34c -NGENProcess 35c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 318 -NGENProcess 358 -Pipe 354 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 364 -NGENProcess 35c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 35c -Pipe 33c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 368 -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 368 -NGENProcess 334 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 334 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 370 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 378 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 334 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a0 -NGENProcess 394 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 370 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3ac -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 38c -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3b8 -NGENProcess 3a4 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 394 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a0 -NGENProcess 20c -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3c0 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 394 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 20c -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3a8 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c8 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3a0 -NGENProcess 394 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 394 -NGENProcess 3a0 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3e0 -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 208 -Pipe 20c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 394 -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3d4 -NGENProcess 208 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3f0 -NGENProcess 3e8 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3ec -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 208 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e8 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3e8 -NGENProcess 3f4 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 408 -NGENProcess 208 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 208 -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 410 -NGENProcess 3f4 -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 420 -NGENProcess 3e8 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 41c -NGENProcess 3f4 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 42c -NGENProcess 3e8 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 428 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3f4 -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3e8 -Pipe 208 -Comment "NGen Worker Process"
2⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 438 -NGENProcess 434 -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 424 -NGENProcess 3e8 -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 444 -NGENProcess 430 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 434 -Pipe 440 -Comment "NGen Worker Process"
2⤵
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 424 -NGENProcess 450 -Pipe 444 -Comment "NGen Worker Process"
2⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 438 -NGENProcess 434 -Pipe 454 -Comment "NGen Worker Process"
2⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 42c -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 458 -NGENProcess 450 -Pipe 430 -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 434 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:3040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:800

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2512

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:1344

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
b1f45e72211adb7582d051ed3f5e5b87

SHA1
80d6ae03428219ddc255769c5c9447ab15d9810d

SHA256
f54fa16629413eea40288a15c9f57e5c2ef0e52a464266b228b956be476468cf

SHA512
3102e45dcab947c79bcba52444404afb0189b8d183cdaf693f51f9e70cfd34208398a23bc32c51a6dad65f9a0fd12f35acfe7ed013003fa786d787cd1f4214a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
dd39e24b644ec9f4910fe48ac74eb3d5

SHA1
57dd6f073d8eca1c9af03ad403d9c5688ec87e00

SHA256
c1d24a6272fa1b023595757b2412c0bcf4497b256f684d41f4bd878c75cf7f15

SHA512
a0ff7dfe1a67012458b90d13efd5a0d7ef91da9530b21b42612c676e397ab94167db2fdb10bb81fed1269d6f678f6e53ad9846101916ff3d90a52295233b9d29

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
5224ee8f3397f776a58fa8310d0361e7

SHA1
e674217b3639aa892d2514f731b0ac2cbf2a60db

SHA256
59a2d3f1a7e7973adcf64fffb8dfab464ba084b76e80f29b83684819945c76a0

SHA512
a116d36058ddc35658965f5abe954d357a2ed41f52f8d3c0d0d37780776cfee3caf444e02170e0f1ed1c0648ed5e9f53a0a2c304651812b0f600a20876ddc1a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
937fbd21537a53d2e173874a75b223ff

SHA1
134b2373ebe8305c376a180936ebfd0d8b796612

SHA256
50cc607e391efa5057631735e8e91b38ae0dd4ebdf205d3180aee6646232d4cb

SHA512
cc5b9e5faaed9c978adeaf65ec5e7f20d7709a6508c140aef48a161170c257f41f6211695649a84f5db4d2a183e7a47e4875a3b1a7484b1c77cb6ac159c6863a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
04be42ee3361369c5adbcd9ae7860e27

SHA1
ea75a85dd39315788e06338ae1de742b4333cea2

SHA256
916430fb49ef5ccd538ea729ececb9917e1c1ff352da77ca1f04024acd716e01

SHA512
cd093efc107e7435b54dbb5a078918f39a4b3fefa48ec947ec85ec28f887c00754d7933b9cfafc30b926cd1368924d0b2f9c0618d3be147140add09adbaa206e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
8899450b9c7ca760064fa2f217905a72

SHA1
925a934b9537d3526b17e2c1b5bc4625a9c0400e

SHA256
eca343940a0aba5d42ebf9defc767ddca71f51fb5eb38224c95e1e017133db45

SHA512
8dd7bd07cce64ba510d9e55579cacc015981a15d35a98c3233e56738e78cc8d79cfc4997d1539f67ffbeb5fbbec8dc5304395c48c02fde57c4108c9e6fdd3b01

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
2944692a8fe725e5f45e066a1aac7f95

SHA1
8b9d6dc714209bd87328e0e1ef390638ce376235

SHA256
82fce2e9f9961f2b6b61b66eb08cb29ab972b70e783867214b5ca493a36a20cd

SHA512
3fc9ce483c28fbdcb6ccfe16487600b5ba06b2432c8eabe1f68ab8943e0403922c4d8f201d17e8633f9b0f437631f95c5935084b82e301ad258d4e30c6b76014

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
62829cd6f15f075f0925e0dd98dbb86f

SHA1
50b81184cb6f6c1ea3e37a52804352470264d6f2

SHA256
3dd1d0afe8132c92b5842e3c856e237fb4a96f8ae630ca87869c3969110d4260

SHA512
8c462d6824ad969042e7435cc2d5028538d8bb5fcd193f0e032b8a1141849814ce5fd6490ebda1291168687c797350ded4e604694319be4a40c5c561ca57a70c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
66abce9c28abec4b1edd82e9b1e7dc47

SHA1
bd9107c36eb8082df61c9e590a25ca38def40cb3

SHA256
b18e5c2598c0b08c85389283d56c106fc558a966fe5448a78e83f4ce5c30d3c9

SHA512
4c55482d7eef86a337a5cd3159b01625f56cc96266dce7f25140cd098abe012b5bd6b0dcb7bf451b2dc10109ae407cba880ce41f37e106a0426a6c36792372fe

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
a8c1943a691c2b3961de2d282d5134ac

SHA1
2f9b025a58aaebde5a316013a0127e4061615dfd

SHA256
749c62ed3ee56bb3af226dec73b835b3c1adbd8e5bdc603615b3cd7fcb61c9ec

SHA512
454e2886f705a1f8c0d3c8e2666ee4611b9c2b1e5fc55df1cfaf94a67d89fb7db5a74b249c21aa6c43f14b2935c16a6d63c838bc39a32d4a0dbac2b32721b829

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
efc282ef4976f95afbf7f2d66a8f3a4e

SHA1
478432ceda88b5e1d638cfadd9e9f673acf6f5ef

SHA256
978de2871e3aedac459f533c2153b81cb524fc895b469e63474102ddb55bc024

SHA512
a7aad7b130c71c86c968675657b128a4efa6af52bedce4f87e037d0cb8c28ceaf3b64794e96ab72b987454ef4036f29d55a7a70827026494decbe53224910096

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
7fdd14029e9bb552d69aa67a11d1728e

SHA1
74346a0928c9d4ed8f755b4a96a408b5b2ccaf2f

SHA256
013676c5646367f097e0aa35674a13a3068c275484251e9d9c10f2d52fb89190

SHA512
ebc2178a4d98c022d65c9b3edab3d1f20e552a9c675016a3e723936c63016081ac32e159ebbaf376ce013f672a69e2f760676021ff222e22d52045b26d095ffe

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
a783013ed4a50dc0fd52154ce5581db8

SHA1
ba73e9907211b834e98cd92835a57c341e0fa3ce

SHA256
f6580f110e63fb9a7336609eda177cd38c746a4cded4bed89925ecff00184529

SHA512
02654b905656320609429df00c049a3be29486d36d9ee77e9eff7a06e5c0b867723725823314d9ef59ebf3ad004b0bc7a6b8d3f878329eade2bc3206f5695ba4

Download Submit
C:\Windows\System32\Locator.exe
Filesize
577KB

MD5
5d76ac2af1a89d706a41439148f6e168

SHA1
07bf566121f91a7bb971adf1dd8b788defff91d4

SHA256
f11408fc37658e8e9d63f851db2a385771b7b7a2ac904ed6c21377270c8de10f

SHA512
2ed795ab44532a6b658b617d3cb35c29a9004fd7c95328b8ee569fa1fbbf1685ad6f18f2b6118111b2ee909a0d0aa393426a9d0429ea468a1472fd40255b0052

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
8e5b2bd271402dafe0fc760e101eaed4

SHA1
d2e166e6c83742c5070340306aac4baccefd07eb

SHA256
89506e3e23e785f75961becb990c64cc89733c77896c0eab3a25a4d5d93f1793

SHA512
e828f4dfc06b468fa51079bb79d9be527151a4f6ba7ba98e1f85a9562eb781b3455267fd35a902a2ccb18cf0399384d18f012915c50d28b5f83650856967c47b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
7cd76bd3abdee3e903719edad975e0d5

SHA1
169f39e606fad6f1d60c62e8a88c5f0d68af6a97

SHA256
0f4cf9f7e104ea276b1fdd95df3ea5110aa1ac25e7a8fe77bd7ff6e423d2be3d

SHA512
f42de04426b5b5bf56af5d94f3cd9f0ff85c00e9f83d64b7ffee0e6505fe8e59933d3875e30d95bc8a6649fc9b4bb7a4b2914f5dc87df2058c6f2c72e4ef0042

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
691KB

MD5
4947481cd621fe968cf1a2973209d524

SHA1
d25a943d2dae77caa3579bcd29ad7f2c79db610b

SHA256
1d4cafdced6be846f36ef8e22b7b46a4ed0ca88267de965947e856fb73379f5e

SHA512
4bb20959b7e80bdeb7163e3bc915ed84e5970d2caff77a70e4c8c21452658d1e23720e970c5911c8c41b31b4ade25c054312f616346cee26f65171495d209c61

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
29e0536714f5fb8df0e7e766a487d80d

SHA1
b18970bf6784ce297fc8cc1dcad7e4f1a618fe22

SHA256
27e374cc7e8064bb0fbedff9c2ca45471096cc4c32b38febfe52750fd66f98f2

SHA512
c1352dc712598f3c06c21ff2e3e0a508f218fdec555f609d6bd3d2ba13de62cb2ef31a3158b1fcf2a586c2707edcd12072f3aff258f43d5e504290885e150ffa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
1fa4c663eb7f4f3f5e7547c8d2849c90

SHA1
7a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f

SHA256
3febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166

SHA512
3a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7c67d29c005e2095610e2cb43ddc6dee\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
6cb73e5a022ea8d85b5a4165cbef7b92

SHA1
522d169c1f13f81d507874c04e1d5535b30acbfd

SHA256
b0a95e95218af994ec3820ae0ae520359edea300425fe25ffe11b470dbaaecfa

SHA512
8b42f9d570edb57a5b5c26bfe2912b482c42948014d69f6fa67e6a44a35520f529e99c6d815805c6bb06bba361838b85ec758627fbec30527bb691bfed696a77

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\83aac982b56989ffd180f47e9a74e928\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
6ea55fe85bce96a6cbf515aae3e624a0

SHA1
02e1ccd7089fd2f40b1751c50052cccff70b90d1

SHA256
7dc94d1e85027332a7abe5daaa00f8cb077d06b18e4c238ea545a8ac5c5bd68e

SHA512
d804ab63f33a43cfac32a7910efd22e565e24398cdfe61d87705dca321a969741bb69b518c33aad133464d6579b91fb8eaf20cb05e6bbf3cad3b38174285eb16

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\cd86c62dacf24efcf7923e59cae67964\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
b44b1b0d99c8a26d4c6e7537bf1bed91

SHA1
40ae79e958639ac3a012d5b33e8bc7149c9323cf

SHA256
9812e03acd4530cab9d0f9403d999a5db505d19472c6a96ba67cafb020419fa9

SHA512
fb00e07ed05b1aab2261482c2cb4cbfff7fbca9e665fdd8c563d688611376937349ba334cf3310c82f61c42b6fa078de92210e3273eb7fc44cef4d6008313ec7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
1931844e82d00f3c1685fd486dd1e229

SHA1
4ef81a0b2182805cf6ec6ac5879daee733e13fd5

SHA256
4a115087e3ba7d7d870aec8446919194058746507c2e31e4d38b0c9d04cc378c

SHA512
99d3883ae6dc1bbec4899497cdc796a4e17d0f6bf395fadef4a57e16e2aff4ced8731e4f3cc12a5c0905f4f6dbddab800aded4ba45f16f727b021f9ca58944e6

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
da14b654299c455610d43957e8bc4af5

SHA1
49aeb02c96a1143a4d29bb3cbb3a660c0996a534

SHA256
3fef53a2f274165f67e7399d9a2222be57e04d0759ff0d25b84070e0eccee65d

SHA512
3305b49b86307d6c9e4237cd26a17ccb12dde59548562af271b2b970031e449c2cd3c0b52c4ccf35113808887de374d0ee347c86bd2c49c262db5ea4a85bfb5b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
afe0930713261dc336fd9f62f362ca6d

SHA1
a48fa5d8083868ca07ef7859fbb4495fb326ddd5

SHA256
4dd3b725c79484914aff670c7a1e24b925a81a767e420fbbbfb06d3f8bb6393f

SHA512
b172fa247fe51384752ae98f55450dc872c47b084f7abbaf6ac9021330c42511c805ba760c2e23e3128f02f5cbf91145e243d2d41b04fee6508ab6eb83df7170

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
4055b4ae729a65864370c9b08ddae49e

SHA1
6f9f318e99e33972ebb1b41958ed01f1d3515f9a

SHA256
e540927d8b512a9bab0178d3a29668bcc0633ee28a6fc12b1fedf8d23d58b890

SHA512
753327470290ffb815ee65670ecc68060b6de4d2f3eccd157d892e4f8e27bba62b8f08143b28f157c0df1ea6bf3ede096ad069bfdd5aafc6b2f8084b6caf7f93

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
5bd1331716d953866efa0fb520a692c0

SHA1
f7ed81639ce57ecf7e4ca1312b084383eb6efaec

SHA256
f984a1274b23a07a68f1e0a1253c3b59bc45d884cfae476f4e9a0ab16642fa18

SHA512
53e0f2570dd923d9a975ab8f5e73b900a3d22a5c1c017d11f47eb86022faed69f2faa769bca2ab6284bfe44aab9e9b7da1f39d7f34cb0480ae300aab85e8989c

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
942e55a9acae415a38375efdefcaa096

SHA1
8f0b2f281a0c619949a614f63e50ed09fe10eb6f

SHA256
2808acdc0f026aed6ddbe91c0e0b7f0f5e6af579d09aed1656208af67dd37507

SHA512
3b0dc79c0691c44943dde0f9467d6ffde6604eb4a6dcc152c8e7d12b7594b449234f27ae215bb0f7c7ca145fef401108273747387b88502f4428313db3b11352

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
eaec5d253097629c24e8ef41770b7d83

SHA1
624d4162ce437f12ecb1cf10263e923a4dafbc32

SHA256
6ff7e7f08f3c17b4daef4f61894f35ec4caf657b37f01804ee5b29827e268369

SHA512
47bb08c30fe3d0d2d485f7119b3e129452bc2b4ecceb83f42ac205a895e32890ae93e20fc50421d84bb273d28a84b6300cc0d10d40f3b132a7968db80067fd93

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
39e2c47a4f19f73d8db26776f9a9bd13

SHA1
7767b95afc3d3a494c1a47df9cb846671e992a0d

SHA256
26e0474b976e7a7bbeda4d8fe02312818378caae56826a0b353a5534c57cd6f8

SHA512
63789bae48a4817920c0325266561faa389d2f4f26f4cb56d181e3086a0c09c2c78bba188066ee2caa71fc6b73fe9030ad6fbae9a015d1b373b81e8a57e65c13

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
72ae07749f094d6a47545ce534e2b4d2

SHA1
48bd3fb7be12d7b37730ca2ba698198d8ef78241

SHA256
e1816f303638a2d3ec98669824436e59acc0e8883fe8ba3b1660908615dd9c6e

SHA512
c137cfb9077f859f6bdd857eba88e0d62bef3b7c8c2d8d32956b59c2f21acad2bad58c6819ba837d54b6b138bc6e0b6f7f11b4c5f352185904bcd89d5a778868

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
8e8f33f9064db0c85b2c388fa8730781

SHA1
8c199f4d0f2ae9d908738daa2108c42ab38b6dd2

SHA256
c0b0ddc2469d06402a08846cb4fa041b45c2ebd4e0d93f31aac81c1415dfaeae

SHA512
ee26d4a73d9ce7afb516a0b8628ce65bc7074c594b2777ca6a221bd558fdaacc9cf799799f827f9e6df422eb01ff0eece5f83dcb2cf11e85de708004c357f875

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
2420af9bb0be53b3028ced27f558ff5b

SHA1
656c796db4b79ecea829fa69e789a5102292ff60

SHA256
a0c515391a9a41d64236ff60aee2f9c25d1fe21714d039f36360e788b2a62849

SHA512
aab2ae90eca06fc8b10d024d559e57d0666944274187f36779e4ef699e77911d0358d2d8830e40d8205c8486fd62d5a9e1c5ddf7437b7ab3008090d0da567eff

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
4fcbf440cf90a4e9ec7774a15c8d68df

SHA1
0021d6ae06830989fcb2156b5004802183d62510

SHA256
49c397d3d1001210fd1a28a4b470a5583f1d3610374ca64aaeb6b0a2d763a6ed

SHA512
bc53f1270836160837cc99cf38da869d3a4397957340f6b267fcae817fbebb2ee0054da1c5b75936b62c2cf7d8a772fa12bb0ac85858d5ac08ce67a03b0e4128

Download Submit
memory/608-176-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/608-252-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/980-602-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/980-296-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1060-698-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-558-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-724-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1100-526-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1100-253-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1116-193-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1116-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1116-64-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1116-69-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1252-183-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1252-165-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1304-752-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1304-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1368-0-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1368-6-0x0000000001D70000-0x0000000001DD7000-memory.dmp

Filesize
412KB

Download
memory/1368-82-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1368-1-0x0000000001D70000-0x0000000001DD7000-memory.dmp

Filesize
412KB

Download
memory/1368-164-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1508-188-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1548-406-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1548-423-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1592-203-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1592-83-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1592-89-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1592-91-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1672-246-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1692-672-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1692-656-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-691-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-286-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-204-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-281-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-707-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1724-215-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1724-121-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1724-112-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1724-118-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1896-101-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1896-107-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1896-100-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1896-207-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1960-624-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1960-301-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2004-516-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2004-249-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2036-738-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-721-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2200-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2200-603-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2248-579-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2248-555-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2256-136-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2256-221-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2344-283-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-315-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-402-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2348-244-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2372-566-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-605-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2412-425-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2412-508-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-43-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2452-50-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2452-77-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2452-44-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2476-194-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2476-261-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2476-214-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/2476-295-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/2484-324-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2484-224-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2504-625-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2504-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2512-216-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2512-300-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2532-410-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-325-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-530-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2588-28-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2588-29-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2588-37-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2588-76-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2600-245-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2600-403-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2616-133-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2616-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2616-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2616-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2680-660-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2680-639-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2852-547-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2852-262-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2928-140-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2976-257-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2976-541-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2988-761-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-680-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2988-674-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-692-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3048-120-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3048-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3056-243-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3056-150-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download