47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
Size

1.8MB
MD5

024a5fde7251708f7932686d0a34de35
SHA1

5ba8ab10f6b80cf96e351f2f95fd93241c47e8c3
SHA256

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb
SHA512

5885d22f1280d07c950edbba67108c8c9b17affcc75f8b2c57f53b9eced64e13cd030d57224d47fbcd6874a4edc621595ee9333bf8cd6cead29e94502cbe3e98
SSDEEP

49152:Dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAUYjyJVJyNfyPtYuTt3eIM:DvbjVkjjCAzJFYjQHiqPtXBeIM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
2144	alg.exe
2632	aspnet_state.exe
3016	mscorsvw.exe
2168	mscorsvw.exe
2756	mscorsvw.exe
2560	mscorsvw.exe
2116	ehRecvr.exe
3004	ehsched.exe
1536	elevation_service.exe
900	IEEtwCollector.exe
2440	GROOVE.EXE
1704	maintenanceservice.exe
1712	msdtc.exe
2784	msiexec.exe
2772	OSE.EXE
2588	OSPPSVC.EXE
1836	perfhost.exe
2336	locator.exe
3024	snmptrap.exe
740	vds.exe
976	vssvc.exe
1056	wbengine.exe
1544	WmiApSrv.exe
1452	mscorsvw.exe
596	dllhost.exe
2660	mscorsvw.exe
2764	mscorsvw.exe
2372	mscorsvw.exe
2816	mscorsvw.exe
1588	mscorsvw.exe
1524	mscorsvw.exe
2612	mscorsvw.exe
3048	mscorsvw.exe
2692	mscorsvw.exe
844	mscorsvw.exe
1956	mscorsvw.exe
2124	mscorsvw.exe
2856	mscorsvw.exe
2564	mscorsvw.exe
2112	mscorsvw.exe
768	mscorsvw.exe
2480	mscorsvw.exe
2524	mscorsvw.exe
2124	mscorsvw.exe
2680	mscorsvw.exe
2492	mscorsvw.exe
2008	mscorsvw.exe
1132	mscorsvw.exe
2724	mscorsvw.exe
628	wmpnetwk.exe
2284	SearchIndexer.exe
2908	mscorsvw.exe
908	mscorsvw.exe
900	mscorsvw.exe
2744	mscorsvw.exe
1296	mscorsvw.exe
2488	mscorsvw.exe
2296	mscorsvw.exe
2660	mscorsvw.exe
2620	mscorsvw.exe
2564	mscorsvw.exe
1580	mscorsvw.exe
2408	mscorsvw.exe

Loads dropped DLL 57 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
476
476
476
476
476
476
2784	msiexec.exe
476
476
476
476
476
476
756
1296	mscorsvw.exe
1296	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
2292	mscorsvw.exe
2292	mscorsvw.exe
2092	mscorsvw.exe
2092	mscorsvw.exe
2124	mscorsvw.exe
2124	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2488	mscorsvw.exe
2488	mscorsvw.exe
1180	mscorsvw.exe
1180	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
692	mscorsvw.exe
692	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
2912	mscorsvw.exe
2912	mscorsvw.exe
1140	mscorsvw.exe
1140	mscorsvw.exe
2616	mscorsvw.exe
2616	mscorsvw.exe
1880	mscorsvw.exe
1880	mscorsvw.exe
832	mscorsvw.exe
832	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exeGROOVE.EXEalg.exeaspnet_state.exeSearchProtocolHost.exemscorsvw.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7ee20098c1bd2e0a.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\locator.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\vds.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exemscorsvw.exeaspnet_state.exe47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM426.tmp\goopdateres_bg.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM426.tmp\goopdateres_da.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT427.tmp	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM426.tmp\psuser_64.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM426.tmp\goopdateres_no.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM426.tmp\goopdateres_ja.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM426.tmp\goopdateres_el.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exe47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06396B47-CB30-4475-9807-8583325014B8}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAE0B.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E7C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6651.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9DF4.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06396B47-CB30-4475-9807-8583325014B8}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7178.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7281.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exeSearchProtocolHost.exeSearchIndexer.exemscorsvw.exemscorsvw.exewmpnetwk.exemscorsvw.exeSearchFilterHost.exeehRecvr.exemscorsvw.exeehRec.exeGROOVE.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{22BDC82B-ED4A-4BF4-B876-A3A388889474}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0600f097f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005062b8097f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2396 ehRec.exe
2632 aspnet_state.exe
2632 aspnet_state.exe
2632 aspnet_state.exe
2632 aspnet_state.exe
2632 aspnet_state.exe

pid	process
2396	ehRec.exe
2632	aspnet_state.exe
2632	aspnet_state.exe
2632	aspnet_state.exe
2632	aspnet_state.exe
2632	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exealg.exeaspnet_state.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2372	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: 33	1596	EhTray.exe
Token: SeIncBasePriorityPrivilege	1596	EhTray.exe
Token: SeDebugPrivilege	2396	ehRec.exe
Token: SeRestorePrivilege	2784	msiexec.exe
Token: SeTakeOwnershipPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: 33	1596	EhTray.exe
Token: SeIncBasePriorityPrivilege	1596	EhTray.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeBackupPrivilege	976	vssvc.exe
Token: SeRestorePrivilege	976	vssvc.exe
Token: SeAuditPrivilege	976	vssvc.exe
Token: SeBackupPrivilege	1056	wbengine.exe
Token: SeRestorePrivilege	1056	wbengine.exe
Token: SeSecurityPrivilege	1056	wbengine.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2632	aspnet_state.exe
Token: SeDebugPrivilege	2632	aspnet_state.exe
Token: 33	628	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	628	wmpnetwk.exe
Token: SeManageVolumePrivilege	2284	SearchIndexer.exe
Token: 33	2284	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2284	SearchIndexer.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe
Token: SeShutdownPrivilege	2756	mscorsvw.exe
Token: SeShutdownPrivilege	2560	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1596 EhTray.exe
1596 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1596 EhTray.exe
1596 EhTray.exe

pid	process
1596	EhTray.exe
1596	EhTray.exe

pid	process
1596	EhTray.exe
1596	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

SearchProtocolHost.exe

pid	process
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe
2248	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 2560 wrote to memory of 1452	2560	mscorsvw.exe	mscorsvw.exe
PID 2560 wrote to memory of 1452	2560	mscorsvw.exe	mscorsvw.exe
PID 2560 wrote to memory of 1452	2560	mscorsvw.exe	mscorsvw.exe
PID 2560 wrote to memory of 2660	2560	mscorsvw.exe	mscorsvw.exe
PID 2560 wrote to memory of 2660	2560	mscorsvw.exe	mscorsvw.exe
PID 2560 wrote to memory of 2660	2560	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2764	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2764	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2764	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2764	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2372	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2372	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2372	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2372	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2816	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2816	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2816	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2816	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1588	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1588	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1588	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1588	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1524	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1524	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1524	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1524	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2612	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2612	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2612	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2612	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 3048	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 3048	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 3048	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 3048	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2692	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2692	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2692	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2692	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 844	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 844	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 844	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 844	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1956	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1956	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1956	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 1956	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2124	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2124	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2124	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2124	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2856	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2856	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2856	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2856	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2564	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2564	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2564	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2564	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2112	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2112	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2112	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 2112	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 768	2756	mscorsvw.exe	mscorsvw.exe
PID 2756 wrote to memory of 768	2756	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
"C:\Users\Admin\AppData\Local\Temp\47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 238 -NGENProcess 23c -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 1d0 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1dc -NGENProcess 1ec -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 268 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1dc -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 1ec -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 260 -NGENProcess 274 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 1ec -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 238 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 270 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 23c -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 238 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 234 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 228 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 250 -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 228 -Pipe 1ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 228 -NGENProcess 258 -Pipe 234 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 260 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 260 -Pipe 228 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:2376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 250 -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 25c -NGENProcess 29c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:1356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 270 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:1180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 298 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 2bc -Pipe 250 -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 298 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2bc -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d4 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b8 -NGENProcess 2bc -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:1524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 298 -NGENProcess 2bc -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ec -NGENProcess 2b8 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 298 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2e8 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 2b0 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2fc -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 318 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 318 -NGENProcess 2fc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 298 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 324 -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2fc -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:3004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2fc -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 300 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 30c -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:2392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2fc -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 300 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 30c -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2fc -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 300 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 30c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:1724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2fc -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 300 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 30c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2fc -Pipe 34c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 2fc -NGENProcess 35c -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 36c -NGENProcess 30c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:1436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 370 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 364 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 388 -NGENProcess 378 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 310 -NGENProcess 35c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 38c -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 35c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:1384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 368 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 378 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 35c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 368 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 378 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 35c -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 368 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 378 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 35c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 368 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 378 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 35c -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 368 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 378 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 35c -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c8 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3bc -NGENProcess 35c -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 3d0 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3bc -NGENProcess 3e4 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3d4 -NGENProcess 3d8 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2308

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2116

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:900

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:596

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
- Modifies data under HKEY_USERS
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
6be05355e31b53df5ca2860233804a87

SHA1
3c439a541d795e6333e02bc6eadc6fff809b249b

SHA256
2cb5c93649f240c3fe6616d5073a394de32909c023fb5722f9e11dbaeb9cca4a

SHA512
6b4c64da429ad37c0f5871d7555cd2248a6f29fe2bf8f870b57ba2b866ea4bf984a08b9df7a5fc60f6ccd6cdddb5dad535ec0140e54caf06bd30dd0e7ef5e3f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
02b3441157fb068d6b77b4c080234b29

SHA1
11aa8f7eda708893a0d93a96aff07e5082a6801b

SHA256
8e00582d67d3062e6e4661abea47dc095de69cbd6b5c18db4b1163375a3a80e2

SHA512
1e393230218e777f3f29531750ff92480591c4cfc6ea4724f8e941d33c75588f46cadbd75f5c98f6e15b397c2a5b49db3392ee7b65b743a628554172b531b073

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
b96e0fa6bc83ac44356c19e17b93ff10

SHA1
3c6e41620124c45296be29dfc41084763d066947

SHA256
1a3f711042ab77cb79b46cee2a875ab3fd1d8430aa2149acbf0d35f7d090e27d

SHA512
c8f3a2eb75b6d7dc55abbb19ac1d272e6905d80c23e3dd7d94af3cc51d17d809a26762e38191a8b635488a94faa227da2108f8a39f4e45f2a1a00e91ec34b36e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
766cb21cce27ae3e32236aec82cd95af

SHA1
698c3a04bbad5bf0c79ea1e131b9403f869b86cf

SHA256
2f6d772fbdd57080796948b4d07d417c14df67f2c2b996585d073cef0a2f8ee3

SHA512
2133a95768d5698b8b1e6f14824b0152ea5a0dbbab9edb6cc429df763cf25d665501eb1f377301883fa9ec16579f1514596e7080b2049fe980b4219f031829d0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
b4063159f6929048b9c0c8e69ea9c26b

SHA1
fd13c09c0d07b5485534191d725d5fa48ce47879

SHA256
c43df84ec580b72e25e287d938e2757062cbfff310d6637b56570f4fe1ccf2ed

SHA512
9b1e668ef08a0c58023650a17fe15d6f8f1a615e8e3c5688c54a9f7956b9cac150d111595f1d032e71cc0b5d7b96e584940b5cfe326ca8bcd39551f8459942d5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e7f8217c603bfef3dac6c52ce5f0e0b6

SHA1
0098786af56fcd5cb825f50904c8b9e557dd7d17

SHA256
62bad3f3509cb7790f8af73fa74a331f93f10a3243e2fa5412bc446fe48229f3

SHA512
a0d0df51486f79f6531d221fb947d668f3b51e660ad62318e097fc7e0a842ee011ea84eadea5ddea446504ef9d70117e3664dca2fc7cdfb5d977d73003f1f40c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
e46aa18dc31ce5eb3de24664f5db4ba3

SHA1
932ddeb35bac5bd330f7db2ea56d6e10ad1ad507

SHA256
da0662760eb4b4f6f9b31221e9d9a93fc13fd29355729ae546b37f92b5b1a27b

SHA512
4df4c07c2c0c5e9ada95b9d3b9824d2447e3e0afd07d67c954af9e132658db739a8aa13f8eb69b02df8e61c157378c66d7ea6ec7f0fa51154b5a1e346999e3ba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
0b0bfa26973dbb127533e8285a6141ef

SHA1
d9b8d0813d3733ec222b5f054c1281a2e19010c9

SHA256
36022b0e3a587dddbd13cae5bd90e9bded374770f005bbf94fc13ec104c0c640

SHA512
96ba255eab556c89895d8efca70b4d0db8824d929d8136ef004ffa402dc955bd34182cd93eb950a9e18648ea08a004d52168f216321dbecfbcc271f47807f255

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
838f0c216d15366ca8eacb7982f80959

SHA1
f111fb90c6cba46c02d7080ac03f3924bfa3cc5d

SHA256
e30a417e877f994477ddbf2c892e72df514b304c20f38dcba9a3abca718350c4

SHA512
283bf579c0a2627abe1150786acf43c544af4d2a0eb0e672ba54ef16ac19273197998253d57fea0c6da720dabf8f0efc448f1bc119e9039622af93308780c258

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
551ec56dda78fef4faad819104777233

SHA1
c168c00ec75623e6dde217d2029f4e18bda2026f

SHA256
6e82d3ab5d6ca973e08d0fe6452655012c2a6880dbc7c430a1b1bc29e43cbb94

SHA512
8eff0f7044f60cd5440751394d23fb137d3731f21d78f9c26bef560e8dcfb00a7c13d179e435b8bc79c3c9e4b1b33f0ef13eb808ab8cd3e197debe466f9a9e61

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
b57c9f2dcea6947cb06a7c60f0b06e2a

SHA1
d0bb1e02ba3e29059b21f9a2eb9fcb65b2f7a0c3

SHA256
769d092e87add9d35eb7a7012f549c6bbb8b293026e5c1f1178c4674c28f9fb2

SHA512
7b278f824bd8bb9c4fbe8d64a8d9293dad259399eda420acff9b3d63e0537a2643456333d50c34741bd6916f14de1809472a77f0a15ad54d7665a6f8bcfbe818

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
51a15d57017a0cbffde25295dc469f04

SHA1
53d4cb859a273ee5a4fb7d5f63d992f2b32f3032

SHA256
7f69cc069b6e9081249f43d749e6323dd1e517eec6884db41805afa8f788f061

SHA512
c30bf53061c23d1cf18d3eec2d2c161bdcad9ef2141a9f70aac3e14157c516dc4a929cb9da6f2e472e5d86242a21279e27ceff27aa862d85afaa2122ff96b1cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
e66f45a08ab73d43628aed1f245b9d61

SHA1
c1856e6500fa82fb1970103670f9abc0b42794de

SHA256
3fe9c4d9f6e371a5e9011cc8b1882151a775d7c66f1faac99ab8ae35d9f615a2

SHA512
6634992dad00aa7b843492b61bb3b153c0bf74be1622c998c28c5a5ecdc54e0e7dfe4d46beb7711d29f11af8b19d2531954529de34588e21d11e05c1e14515db

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
39d7f8410e3c3ec9a3733ac6e9e6f315

SHA1
ff46ed1c8ce9707078aecbfeac5adcea50e2b52e

SHA256
94adcb17a9b45bce253a9ca47c1410398cd404f0e61c31e2d7c3723bc7d70b47

SHA512
09017e68003e0d0647cabd21558e3d951f22d228937893d2fc79eafcbbd481ad6fd41f5ec9b5cbc160f5089173705c677999429b7c5250715294f08e1a71df49

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
64ffc7d978981034768c8d7e51bd918b

SHA1
d3775dd409ca35682e0700fcbd0e245272826c25

SHA256
480f3ee251f74a46ae5b0bfea0e1281aa48ddfc941347af3538bad4ad942ebb4

SHA512
aad7915cf7bab1a41f8cd57e87f9c975285af8df6ddbf64a1049a7dfef4c73f88cce08dfa8dfe58ff018219487e42d69aba91b08be54458fcc94298be97b1a70

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
f34a3639a841c8e2d5948e35a727d0bb

SHA1
871a03f07bd27cabd759c673a2519db49977a394

SHA256
f5e005ca60303bb4b0bb88225b2b44cd752f35e5e5e569a45e0f27e27ec3817e

SHA512
86d0cbab4d4f85cdeec57773c0eaca8bf193d58a34da9d1732c095c0c0a28a047cef68d91f3028d9064eaf6d4640dc71599bdadee54a8af5377063e7dd60c4ac

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
faccdbaf3caa920860d60ab3f547165e

SHA1
aa14fde426b2fb20d1552fb50a21152d281a03de

SHA256
f7a06b665af83b53830178a9b1ae26972747d0943f5fd4ed54028a838e7f6c14

SHA512
24d158c4f8e6fe4662f5f9b99b6c4927940eb197078ddb5d53da5610c4f8290ab8b0e4de9af293095d1237c1025adcd19f9032d6d04eec6df787db68e2a0f317

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
338f465d981acf5e9324eba33cfac5fe

SHA1
a498708b8156bf26411d1f3ba9325df0a9a3ad26

SHA256
7753a9a57eabc36f4723d267f981945c520fe68d35bbdf907ecffa6193b5b785

SHA512
fc8315932b176410f17cfc2cc92c7f4e7f2e2c4c888f1f32e0804128fc489021543538c001258ca2c5dbc3db6bd5aefb26aa48bd15a05a56c1c0beb1d7fbc4f3

Download Submit
C:\Windows\Temp\CabE38C.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB49.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2f2e89ff249c4d8870d42aff074195dd\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
a3ffbe9e2eb17d03b54b0aec2fbe0fcf

SHA1
3e91686a03d379e60426cdb5290cb82fe3ef4f8a

SHA256
546bba95671a317ad56d5ca82a1575ffc50d707535ddaa4c453b17d378c09d5d

SHA512
5f28c5afb43d913011796a23a5460238cb688865eed2ce71ced4f4d154fc2507fa483eac74e92690bc7f63b433ca421a8e71eb0062616d6301bcba6fc510d66f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\31ac0dbbae8d34f92f2e9ec6fd125975\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
c4ba9a179e70f458de5d1b40d4b0999f

SHA1
37946e4e0e15fc83606d66eb710b5708367dfba2

SHA256
16b45031f3cdafaca71e62f47abafa77fa281cd8ff0e01eff1a35e28dc43a277

SHA512
34f343a03a55af0e814a773325c48567bc44fbcb0212c917185fdd189da58608fc9931437bd4994dab07b24eb2d9b3c416730653e70cbef2a6548f5e9815613d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bb49c97b2161ee7c77e54b646246d96f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
8417e72b29a767a588a64244233bee28

SHA1
c33cd3fd2afe85d65424d9a20fba89387c13370a

SHA256
09ad9413a845b07a981559b79cb005610bab8524e4bda482381414258ce3ccd2

SHA512
bc0e8c2b8c3476b7e8896ca91e1745e34f7e28602741703cbacec4d8cfeec2463cdf7d5579fdc81b9509b0de14cc592afbff6aa4b355062dd493f143cd95a265

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cd98d0bc43e022b0c9210dc09a4d31e4\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
751fe2111e2ca8b460acedbdceca3265

SHA1
64ba022000842bb6b1c388d45af9ef11fb366e14

SHA256
e848215ef4a870074805d0393a2fe71061a426a080d5d91e844cb26615bab63c

SHA512
c1dbb048c2efc9993d8d1d1ebb88682c5d50d3b147a1fd63405e01709355cda4510fd9c2f136db9b29121da8de80ab8dbffed462fc5094b854c06e630c7788a8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
0fc7a72259709b5ad8c8fb5bd0be1a3e

SHA1
4fcfbfe3fc3e6f9826b709eff9032a2e8eb4cbb4

SHA256
679422d4b3544fbfdae21cf22fd9fd5375c3d75ad9db578d80ff874a39dad2fd

SHA512
a63ccf362c5f6edc88af599fd5aaa5081097797c8257d2e6768f94aa7c7f69d0ca3d5fd1f15ca3635d23055287adc3acdcee9bfafe572ac91001c915fa6ef2d0

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
61bcfcce2851c305ce928c9e04a4a1b3

SHA1
99cdb7c2e6378cc6a960c87609e6071ed1e27165

SHA256
636ceb506c5b15272c7941f318ffb38104e342f1bec82f49bed46a76e17c6a59

SHA512
ef87331c0988ed31907bed9a5d4df3fcec2b9c07263b78082187f774224aa8e9f06768722823ca989d6f12b218a968fda8951613121662c00e63d8b33b7d1392

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
f9e547dfdc338793b3c499c9f4ebf2e5

SHA1
703cec442e183c6cf5019d4ef70c4ba599054fd4

SHA256
e990f31f845385f53e92fb7bdd72b2a997e0fe75c0c3c89a587ece48d11d6a87

SHA512
fc0b81178dbaa74b214fd4c5897dffb9a2d195f138c2c95279c30d75e89467746a63ab8e4cef1036a86fb32815ae32ae8f6ec451e9c9d9a032d2d0be58443e36

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
16b85519a6dec399a0a000ee98379a78

SHA1
94f212b8161aa4e56f80782661fd055aaa0166d3

SHA256
e73101e7b2156051de3cd4ccf7afdef2a47b1436eb1b0a9302c654585ab37cfc

SHA512
b19b1ae3064c094e7c860af8764004afe7f27a3d137f9b1b5936acbadce40b5af2ee539250aadef0bf6db35efe67905072f5afe6b6da8d6c02ac216df88e7554

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
e7003eccff2b71a615940213f9ddbfde

SHA1
f2fce6c2e51d8d17c1d36d22221ee6922654dcd7

SHA256
8bc35ed020e216e7421fe956ad8dcc1603e819288f251f30069c5d1568f973cb

SHA512
22f6111aefe40c4b6bea2bfd1c1a76a9c4eb2ffebda73b0ac5c38f4214ae1cf0a07856e9b1c4eb5aa3b060027ec4e2cf07f22f1032bc1733f8a15bc5232a07a2

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
bac36f8b2d8a85dc2e2b5a8ae3486a04

SHA1
05a1fc4abd3c53eff7b3d75a4ea22b671b239b69

SHA256
232645b26c5933797f338de227b3abdb00c980000c49dfe4603abf40aa58a117

SHA512
560241bf2c43e8596505e9694600294167e6735e78edacced9035e9d5d412fccc1f1deb2088f83c0d999e7cb8d879b5bbc009cadd2c287eb1cda0ea7e16927e1

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
78d9d4237abeaae7f28737e057de6aac

SHA1
c7f98b5f7ab0e560e8dd2859b0715617a884470c

SHA256
f3c3307bfa458ffdbe3d9c5e282514d6dcedc19bd0b2f91cf8a3c0f0b80944ea

SHA512
5e9f16fe46adceab08214b62e0b27de2864087d65f955840471164d6ad049748d8b268ad9b123e8beb34f77adf8887706c70de423b99918eaa7a8920a1195f62

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
beef1c8aba772df7af6329ff1327b2aa

SHA1
e867899e48058b06466707e2bc8041c63829d03f

SHA256
156d76fd68e3efa426f564394da3534a3ac16525cfd4d896ecea08b993072a18

SHA512
b27d4318c4965eee6a8aa5929bd1604c7f915ca337338978e13b64302c9b39b0867eb4d8ed574235c8ec6b6e9e7fc6372c425bcc37ad28a5b37d584a1d50c98c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
6e87537f6db374c17896cb9d7ea13961

SHA1
94390c019b3b3e4487e4e05e5dcf68386b15d2bb

SHA256
360d3760a05052d9cbdb13f6861c85de31841712f109573d62f00065eda3026d

SHA512
e82f120e48436d538187226554e8cbc566cc302da494a7586303e0a5d9f0798eefa4c074ea99cb18bbf5e73ccee114eecfef13922f15092323d66f1ae9ed7c2d

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
0522cd5606e9f1ceaf37d998f60824ad

SHA1
f3ebb22b7e6400ee6cae7c629d7e4f57a21449ee

SHA256
a8812d83284fbf692baed540bc9c3d8805e425269a7d271e5668e988c08472f5

SHA512
0abdec9f00a25883e32bbe0bcb1da1b2f82cdbdbf72ab84d64f8ac4068fb5201b3f9e3a09640f524f2677a12ce56849f0003b12ec70aa1c72137d3feef822bf7

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
0930757788517dc7215ea8ec9d9cad49

SHA1
b54adba7cd2e955ff8c9a0f2810454edb348a529

SHA256
379794a6ccdd8affa81ed51f5586ebea29d1b9b73db2a29c614caa2b1f89cf30

SHA512
52ec80bd7d04401bb4491f0ea5a1c693b1c5ef998a408dada43a7180f892fc2976d69cc22fd238ffbb86b1f31c147aad7b4127b52787361de3fea4905d11dad7

Download Submit
memory/596-501-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/740-357-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/740-684-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/768-853-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/768-856-0x0000000003C10000-0x0000000003CCA000-memory.dmp

Filesize
744KB

Download
memory/768-868-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/844-794-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/844-779-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-336-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/900-218-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/976-360-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/976-689-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1056-379-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1056-729-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1452-545-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1452-479-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1524-726-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1536-212-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1536-323-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1544-750-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1544-469-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1588-685-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1588-690-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1704-240-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1704-264-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1712-372-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1712-261-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1836-319-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1836-606-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1956-808-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1956-789-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-842-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-846-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2116-176-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2116-175-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2116-182-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2116-299-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2124-805-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-812-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-890-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-905-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2144-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2144-19-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2144-31-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2144-29-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2144-174-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2168-128-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2168-188-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2168-121-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2168-122-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/2336-330-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2336-626-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2372-0-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2372-130-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2372-634-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-463-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2372-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2372-8-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2372-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2440-356-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2440-237-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2480-865-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2480-881-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2492-913-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-894-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-876-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-286-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2560-155-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2560-162-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2560-154-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2564-843-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2588-308-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2588-541-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2612-742-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2612-730-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-205-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2632-68-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2632-88-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2632-94-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2660-556-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2660-582-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2680-902-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2692-781-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2692-770-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2756-144-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2756-271-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2756-139-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2756-138-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-610-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-630-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2772-294-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2772-500-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2784-280-0x0000000000200000-0x00000000002B2000-memory.dmp

Filesize
712KB

Download
memory/2784-269-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2784-470-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2784-478-0x0000000000200000-0x00000000002B2000-memory.dmp

Filesize
712KB

Download
memory/2816-636-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-676-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2856-831-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2856-820-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3004-311-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3004-191-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3016-106-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3016-114-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/3016-107-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/3016-167-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3024-635-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/3024-345-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/3048-762-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3048-751-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download