59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479

Analysis

max time kernel
142s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
Size

625KB
MD5

ca31aaf988b1c4715eeec5405a599638
SHA1

cb172f3fdccde3c08d791b6901787bee3c664ea2
SHA256

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479
SHA512

9eee8cc142daf914aff86b661a29c42c86e4eafe054b92b65d57aaa984bd668d3a7fa74f96be8b0411b60281d7ec0ad76b74ecf0eaf4a3865bb4a2f57400917d
SSDEEP

12288:D2vlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:yvl11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exedllhost.exemsdtc.exemsiexec.exemscorsvw.exeOSE.EXEOSPPSVC.EXEperfhost.exemscorsvw.exelocator.exemscorsvw.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2524	alg.exe
2528	aspnet_state.exe
2860	mscorsvw.exe
1908	mscorsvw.exe
1808	mscorsvw.exe
2656	mscorsvw.exe
2140	ehRecvr.exe
1756	ehsched.exe
552	elevation_service.exe
1440	IEEtwCollector.exe
2760	GROOVE.EXE
1140	maintenanceservice.exe
2968	dllhost.exe
2976	msdtc.exe
2264	msiexec.exe
1520	mscorsvw.exe
1148	OSE.EXE
1664	OSPPSVC.EXE
764	perfhost.exe
2160	mscorsvw.exe
2664	locator.exe
952	mscorsvw.exe
2708	snmptrap.exe
2304	vds.exe
1312	vssvc.exe
1144	wbengine.exe
2788	WmiApSrv.exe
912	wmpnetwk.exe
1196	SearchIndexer.exe
2160	mscorsvw.exe
2468	mscorsvw.exe
1656	mscorsvw.exe
2272	mscorsvw.exe
1868	mscorsvw.exe
2556	mscorsvw.exe
1800	mscorsvw.exe
2468	mscorsvw.exe
1328	mscorsvw.exe
2560	mscorsvw.exe
1760	mscorsvw.exe
2880	mscorsvw.exe
2160	mscorsvw.exe
868	mscorsvw.exe
2476	mscorsvw.exe
2356	mscorsvw.exe
2316	mscorsvw.exe
1420	mscorsvw.exe
2852	mscorsvw.exe
1756	mscorsvw.exe
2476	mscorsvw.exe
1548	mscorsvw.exe
2568	mscorsvw.exe
1908	mscorsvw.exe
956	mscorsvw.exe
1328	mscorsvw.exe
1992	mscorsvw.exe
2840	mscorsvw.exe
1388	mscorsvw.exe
680	mscorsvw.exe
1552	mscorsvw.exe
2472	mscorsvw.exe
2536	mscorsvw.exe
1996	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
2264	msiexec.exe
468
468
468
468
468
768
1992	mscorsvw.exe
1992	mscorsvw.exe
1388	mscorsvw.exe
1388	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
2536	mscorsvw.exe
2536	mscorsvw.exe
2888	mscorsvw.exe
2888	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
784	mscorsvw.exe
784	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
2424	mscorsvw.exe
2424	mscorsvw.exe
760	mscorsvw.exe
760	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
1632	mscorsvw.exe
1632	mscorsvw.exe
1688	mscorsvw.exe
1688	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
1656	mscorsvw.exe
1656	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

Processes:

aspnet_state.exemscorsvw.exe59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exemsdtc.exeGROOVE.EXESearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11279617ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exemscorsvw.exe59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6835.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6642.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6ED9.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP783C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5448.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8768.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6B70.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchFilterHost.exemscorsvw.exeehRecvr.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

1896 ehRec.exe
2528 aspnet_state.exe
2528 aspnet_state.exe
2528 aspnet_state.exe
2528 aspnet_state.exe
2528 aspnet_state.exe

pid	process
1896	ehRec.exe
2528	aspnet_state.exe
2528	aspnet_state.exe
2528	aspnet_state.exe
2528	aspnet_state.exe
2528	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exemscorsvw.exemscorsvw.exeEhTray.exeaspnet_state.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2988	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: 33	2716	EhTray.exe
Token: SeIncBasePriorityPrivilege	2716	EhTray.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2528	aspnet_state.exe
Token: SeDebugPrivilege	1896	ehRec.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeRestorePrivilege	2264	msiexec.exe
Token: SeTakeOwnershipPrivilege	2264	msiexec.exe
Token: SeSecurityPrivilege	2264	msiexec.exe
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe
Token: SeBackupPrivilege	1144	wbengine.exe
Token: SeRestorePrivilege	1144	wbengine.exe
Token: SeSecurityPrivilege	1144	wbengine.exe
Token: 33	2716	EhTray.exe
Token: SeIncBasePriorityPrivilege	2716	EhTray.exe
Token: SeManageVolumePrivilege	1196	SearchIndexer.exe
Token: 33	1196	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1196	SearchIndexer.exe
Token: 33	912	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	912	wmpnetwk.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeDebugPrivilege	2528	aspnet_state.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeDebugPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe
Token: SeShutdownPrivilege	1808	mscorsvw.exe
Token: SeShutdownPrivilege	2656	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2716 EhTray.exe
2716 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2716 EhTray.exe
2716 EhTray.exe

pid	process
2716	EhTray.exe
2716	EhTray.exe

pid	process
2716	EhTray.exe
2716	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2860	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2868	SearchProtocolHost.exe
2860	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 1808 wrote to memory of 1520	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1520	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1520	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1520	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 952	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 952	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 952	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 952	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2160	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1196 wrote to memory of 2860	1196	SearchIndexer.exe	SearchProtocolHost.exe
PID 1196 wrote to memory of 2860	1196	SearchIndexer.exe	SearchProtocolHost.exe
PID 1196 wrote to memory of 2860	1196	SearchIndexer.exe	SearchProtocolHost.exe
PID 1196 wrote to memory of 2204	1196	SearchIndexer.exe	SearchFilterHost.exe
PID 1196 wrote to memory of 2204	1196	SearchIndexer.exe	SearchFilterHost.exe
PID 1196 wrote to memory of 2204	1196	SearchIndexer.exe	SearchFilterHost.exe
PID 1808 wrote to memory of 1656	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1656	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1656	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1656	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2272	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2272	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2272	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2272	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1868	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1868	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1868	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1868	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2556	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2556	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2556	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2556	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1800	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1800	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1800	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1800	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2468	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1328	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1328	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1328	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1328	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2560	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2560	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2560	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2560	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1760	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1760	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1760	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 1760	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2880	1808	mscorsvw.exe	mscorsvw.exe
PID 1808 wrote to memory of 2880	1808	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
"C:\Users\Admin\AppData\Local\Temp\59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 290 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 1d4 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 28c -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f0 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 240 -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 28c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 29c -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 2a0 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a4 -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1d4 -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1c4 -NGENProcess 29c -Pipe 21c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2d0 -NGENProcess 1d4 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 29c -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 1d4 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 1d4 -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2e8 -NGENProcess 2dc -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 1c4 -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2e4 -NGENProcess 2d4 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2ec -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 1c4 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2d4 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 310 -NGENProcess 1c4 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 1c4 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 318 -NGENProcess 300 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 308 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 310 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 310 -NGENProcess 320 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 340 -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 328 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 348 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 340 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 350 -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 29c -NGENProcess 338 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2f4 -NGENProcess 358 -Pipe 328 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 29c -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2f8 -NGENProcess 35c -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 35c -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 340 -NGENProcess 364 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 36c -NGENProcess 29c -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 29c -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 35c -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 2f8 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 35c -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 340 -NGENProcess 2f8 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 37c -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 364 -NGENProcess 2f8 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 38c -NGENProcess 340 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 388 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 2f8 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 340 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 3a0 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 37c -NGENProcess 340 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 39c -NGENProcess 3a8 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 35c -NGENProcess 340 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 35c -NGENProcess 39c -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 39c -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 398 -NGENProcess 3b8 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a0 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3bc -NGENProcess 39c -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3a0 -NGENProcess 3c8 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3c8 -NGENProcess 398 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 388 -NGENProcess 2f8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 39c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 398 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 2f8 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c4 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c4 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e4 -NGENProcess 2f8 -Pipe 388 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 2f8 -Pipe 398 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c8 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3dc -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 2f8 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f0 -NGENProcess 3c8 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3c8 -NGENProcess 3f8 -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3ec -NGENProcess 3e8 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 418 -NGENProcess 2f8 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3ec -NGENProcess 420 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f8 -NGENProcess 2f8 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 424 -NGENProcess 418 -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 418 -NGENProcess 3ec -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 42c -NGENProcess 2f8 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 428 -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3ec -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 2f8 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 2f8 -NGENProcess 42c -Pipe 440 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1148

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
2⤵
- Modifies data under HKEY_USERS
PID:2204

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
4cd25896de01e8945b56f7aba6aa4d98

SHA1
a6c9420361a454a35860765ddf7b0354f4d62dae

SHA256
ff3bf18a27812881922e1a28ca862916c5c53255ef0e27f40ddd57f36aeeff2b

SHA512
22582ced86ab678cde2a7e270f8a15e3b4df73d8f6d6305ff85b532d829b1e860a78e72b8ef1b14ccf2f28faa1d3e7156273e444641b1a94059f3927b2e77d06

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
2a934451854409f1e4e999112aa3d35c

SHA1
b7e534faf5a8728bf830953183687cbc4152a667

SHA256
0ee11e3a80b95b9ee78c4755d95fbef7db1bc08da6e1aa9eed36929ca48b4ae0

SHA512
698017ab7ac4a51ddfa89c1ebb324566ff4691d691dbfaceefd2e93baa4dc011301291bdb6fcb50c02fa28bbd1d4c84fc89ecf0b27bf32a8e8233d082e1e529f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
db3c4e357c91fd50107efcf5e0dbd561

SHA1
4158b3ea150bb507636e1fb77364b9baae532ca7

SHA256
94531e4328ac38f34fd8ef18c9a763bf4259399addb591cefcb4aecce80fd919

SHA512
d12883932c42f08844f416d673d0a796e1194c95a77c7548e4911d7644a3f0d19246d3fa0debe99745774dc18e5960ed0894e6ed6c9042d805677bdc3b820319

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
867d8bed5c31890faac71fbebc6447ac

SHA1
10e247132cb6ea56bfedacb7a7284c5a29faeae4

SHA256
dce67fd9f0f2191db09191949decaba15991f1949fd9e7105f6e0a97c3935c2c

SHA512
de800b0221b1a34a2f89fea31114dc7e265550fc0c4d154579c47ea08a31f532917a61fb4d3beb9c1e237658a24651070f69ac8b1a9e69b087fcc7c744acb594

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
95a2cfefa10e5f6060c1c80ad26b71bd

SHA1
542445e0bdc42a38b8587548c51adf62dbba8057

SHA256
3e6349501b469c7eb388c71e5c896feb8d052d7039576d8a9b2a6ce0073e7d23

SHA512
a017c6859e8ddeb3bf3439c6d99dbed5f3ce22d8aae1ccbaa8f92548ed600e83f453fbc1dbba0ada5a6eab182df4341757aa3c5284789f419423f428491d9426

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
ac438fd62c9981a4f60f11d8f0ea9a8b

SHA1
aaccce1196cb06906d008966c09b14a3a07b0f8e

SHA256
30d335eeae988a92bbe1be063cd45f276d36967b352d2aa4b1a359e45a2eae35

SHA512
f93777ce16743ff1355347b2c8ec445778f06c16326d76726c43563b506122b6b5669c1c7b734672b729f23dd27369d09b5f19459cf282f9c8c85cfad3d6dbb2

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
991d8116f1ec5351bee2e61ea67085e2

SHA1
feeb0e110d2e8c47db52b7700a54d58ad7b423d7

SHA256
e302abaef8c18f80bdf97425843bd42c4fc393519e43a492d06703dc5f5a793a

SHA512
01b65d3bf690539c2c3ae443926f341a10ca97381af11e81f0ac0f73c28f395dcf12cc405af18e1eb22951ceac5834fbddc2e98ad285716cfbcfd9500a2955db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
4cd9c0a2f2ca1b4971b9bef76fe12d72

SHA1
efc44f7fcdbd26f7a0e104315e79ff36b847ef86

SHA256
cc24928247b4482f7f2e7a92aca420e21cef333bb286556103f4b124a835bb40

SHA512
1a930259b3e8039ccd2f956055beee161df4c69a152747cabfe401463b25476fbf0635864ea0f607928086effe669b0f1727732a8d70e8809f2755e88c22ec9c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
aa36a16ed0aec72dfec7bd0d30a7c39c

SHA1
33822b4ce7825c307230a780bb40c75b9c7ae9a3

SHA256
ac38e8fd4c36c9a08a004a3cc6b94e1a4bc7e48318a7a001d92cb29ae9867524

SHA512
ab9a1230e7478d6261acb8c2796219ce0ac85226a131a43fdb29f95e903abec8cde7faf82482f667ad737778d32b37155ccb03130f1f63da8858bc501bb530b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
760a1ad91d48d36d521b3475abe9fe4f

SHA1
47beeb633342954a75f732f6847c9e3f44eb0423

SHA256
931f97dbc20534aaaf3adaf13c44d8037bee6f5b83eaa1fa4f738bcc21f2f8b4

SHA512
fc454f1632a8d89461fe5caf4774184fa482221599703647b89d5bd71f1e93e413135a934d0ff2f896ba0630febab2c65c0c7277c1eede5bc3f18de4777ce9eb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
418d35db044af8d788818ea1ee5c2bc0

SHA1
c8fc25c4b1f4979370207455a4158f13d18cfaa6

SHA256
630ebd2d14292bf6d860e50ab4dce96c78a520b8cf544e0cd96973fbf6872a36

SHA512
45e849c8c7f76619a1c56216ed91d9ab5ede5af7246d304c0fb1425ba15d22de84097da35e63e211c4b592009d599710d7cb9bc721b5c7cbcfd5f63a9c4966e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
6975fc2f17560241f07bf59badde9104

SHA1
3bbbe5eebc33401690666745b895b2d510364fbb

SHA256
f6b4609e1644db504ba0e3828ba67cbe3bdba9928054973de5901ff730610e41

SHA512
d3c0b2aaae0bcfb53adf71d7348f2b1581f6c8cedc1ffb7e92ac5d2d6e65e07936c55cc484986824d30f938bdcbe22eccc24c76ad1f1272ae27948be0e93f3c4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
7fd87a7d6648307a0ee9ff64ac015641

SHA1
22b6584bc3479c0494b99f16fa76140ca77807d2

SHA256
083d02e6b2b0bdc5792fb1c18ef8995dd72b7e48df6b2ce8d67e49c988a51ada

SHA512
b6565fe90b6e0d4c931187870e4a1545c3d522ffbb81158e5009e1d0d97f805bf6a9235f944feac3f42a7eb111df2f5217bc506922129499749ef1a3bdf21ce7

Download Submit
C:\Windows\System32\Locator.exe
Filesize
577KB

MD5
2c05846ab200767109f06fd0fb09eac1

SHA1
f7bc73f77037bb16abb53224bb0377134fd93d15

SHA256
bce482bc3308d971c01aad7fce54b2a6fbfbe6a7938b296e2c941e53ca8b4cca

SHA512
ff5d85b09e079b80217b98f1ed50e1d490c1f1fa7c65f35b0877f3250cf906d57d3f5f45428c2320b67bdd7729d10181b9bab4d07d8df4a9cf953a521fd1cd5e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
2499cca849bfd8b6851edcf9b6dde796

SHA1
c50e2ac1fe8a648c8df78fe911f531532bdba839

SHA256
0d23bf13f55f957d4286df31bf06a9947a02c0f8437f4ba50cd06001fee8895f

SHA512
adec11abac8672bb8790485c9bb0f28a20eb272a972e4433d73d04f3e32189d4c195dd1df33980a461c9110d43a6d26268fdc4f047d5d2299ddfa73188e994d1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
fdc9d18714c11199d2d0be75bde6555d

SHA1
8a31f6b4d0f6fb0fa029e62aa7eeee11c0e20389

SHA256
84c173aa8b0535a316c7a66b7e54e5a598f2b9b52ec0a969cedcbd1c33e56d52

SHA512
cad7f0c5ecc2026cc74339b01f8ea60c445748dd768ecac9792b97a23a58c8e5cee87331551bc3c98b03eb11b45a3c04191c1e06b049777b990f109b6ef84536

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
577KB

MD5
f479be13bf2f9fc25d860c2aab3e293e

SHA1
94ee6821563a0ce9243394076a8405173e9def1b

SHA256
649e0029de17fc07ccbf2fe2061458b5f96688e2673695818539f88d76923708

SHA512
874b7879371d4d8352767aa639bb66a9fce9c432ea48b12af514b4ee4ac6237c201e43cf56d6c4fc201f67f327082679bcbc4407b40ac12211bfed63e13deb90

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
e60aa0d04546973ecc824fa21600bd3f

SHA1
89738cd3f5f07521ec4c24231da7458ba08d4504

SHA256
266550e5faf196ecef89ba2ac3b9654b1e60494ba4dbcfca1cb98f4563549f43

SHA512
8d890a791accc8deb1b03b29b0b606f47eaf27d2a2d85054b697280d48e68c4a21e8c2176b3107813a54b5bfeb5560c2eeeda8c82a669f9d83266669ba280abe

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
705KB

MD5
3219d24d0d9b4305c5b3ddcede93b834

SHA1
a7862b89e721f3b96f723a4ca6ff87a336ae6957

SHA256
2841c68d5edc3f2b4b70931f8b55aef5d5d8604d92ac58f5130c8397cb01669b

SHA512
f03ada84e68d587adce3f553bc6cfefb444316eaa30cfe69f0289e0f62379c1c42012abb5d5df92db498c2c22c08ce0b7db3d33fb7b812f9dda33807b38ac4e8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
acc336fabfd746602efb18cb6967f547

SHA1
33f68934c1cd4b8fccab6a6c40c226f078650014

SHA256
19118bf71913ef4de77facffada6bd84ca2cb1e407d07539ccff16c8b6584460

SHA512
63c8556d217585c19fed730ed66905b08ca99329c3881e77b9e9efc67dfcb86ef87b5d6b8db4d785ceb43cf78e4b303814dd24c8413cc21fe11f9bd169efe81e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
6368dde161bae2883f64b94174b04ce6

SHA1
e7db85d258dbd5f981696063f267ccdff688265d

SHA256
485fc51ebe0259a5ae872d87ef61e8f7f93e1572b43454b6bffb257f9fea60d8

SHA512
0e3644913ea03814adbf865c667b3a139ddc1952ba3c809daa2b41c7e8f052f26427d387f4611e111d6f1dd44df93a4231c3d1da993cd7bd20b8f327e63af9e1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
29e1cceb9b957b94ec291063c15d42ef

SHA1
686a1a6ecb7bed13ec2c3e2ab0643af1c44a48cf

SHA256
d5713723de48e3532735a758cea2c2aaa4ef5e17f8cc600d5f0f28889b341d4e

SHA512
0d21e44841f37ed82e2291b73cceb101934dc3426005bc14a01eea77e9c36d0caee2e7da09d8764aacdbb28aac73dc5a09d109daefabc398debd6c9082b002f9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\70cb07d91a9a53b14e45d9c3e5a20e11\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
044a2f38920a1f74ab975644db29c7fa

SHA1
90fb4a783a10dcf56a062a5e44e620b2eace9606

SHA256
13a375cf49efec8c31bd4a51db12ec4b0e317d9bb1fe0dd138eeb75a6bbd5ca2

SHA512
dfd5feb943251d19a77a952bdf059d77a7f63cb80b0dc758735515e86beaea7eb8aa40988eeeac29a3f633afe089779104ad3dbe49b5f98343451236d9258375

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\94b9844e4f3eb9a837213c9ed18c448d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
22be81316eefdc804fe44670db153b40

SHA1
670fc8e08870e238fc39fa1508cddbb1da57b878

SHA256
88541e14bc235b6c7836563f1733a114a6d72483011e3f70f2952f7625bda643

SHA512
addd6ea7b05bf95a431e7a9d7fe3eab635bbeef9b74f4df994d326b31205321b9710a97f40d7d2f3599470d5ea4dcaf6efb02f751ab810a8b338a56f9bdda6fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ff91583a2e6bc7dd959deb7e77ea57db\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
a7dd8def557ccd9e8202199499386651

SHA1
10bc3b044c6c2b258356169eab5d6dbc54329ed0

SHA256
b6b22830a89592a0a9ebd67cfee66f668772c55dbbac0be1c8e9f12a8f7aa526

SHA512
8b03745d7fb2fb08eb2c10a50f1049a93eb96b68649e6136e553c0714ea345a3cf9c04953661143a610e7492b539826b759727c5d895ea47ec4b00be5770943f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
32904cc0d56708b71cde47d7d8650f3f

SHA1
dfa20d29dffc9a695c77db253ad985740f28eacc

SHA256
c4974e699a068ec7fb18b24085cce6a952d34a48c2a673fe1df33b1d8d253859

SHA512
84ccca9383d62f8c182d322230ce2bdf2ae694f53f9b5a7f5e20188a722ffa7071ade6a56cd127a7ec696fe34088ac94f47557397210d159e9dac2585ac5affe

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
b98ed73912aaeedd6b151ee657cf1598

SHA1
416f42143f2f0e3031b7af69b2346126d3d7ab26

SHA256
4f88ae12875fdb0b53f73ba3647311b8137396b666cf9d543478a197bd212a2b

SHA512
bf3bb50bbaa7b4a6821e4c376e948e440e1801de83a3798684889706056125f6745458482759f547ac98526c67f827c0cfc9074e1df23d6ed0b4c7ddae341c83

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
57a3c52f1981b0b65c01ebdf5dccc04d

SHA1
40f8126ae20d662bbcdf4a204c9e9e297a62005c

SHA256
48a3099e16ee28040d81c5fe09d4cde279721270ba1804f7e0a5e9755eee2f7c

SHA512
267b3cdf6882b8215c2d90b32e0f505889bd79a57bb70e3b4b2644fd51771a3a0c712e2e3d7880848844f3383e9c1fa8d135b0ec42de6cb753b49b9e8c0679c8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
7f941166d7daf6fcb42f4aadd0dfec3b

SHA1
bde0637f86aee0062c8a27252e094b91c991c5ff

SHA256
d5f74c5ba234f84c3770997ccaf280018b1490389b34111b9a20fa554f6f37da

SHA512
e23a76d226c77eee64657f4c3f7e5b12f1f7d90ed24b83b54c8957d49ea522773de19d0c77ba17c8bf96b452bd628d6cb76413f7a58243d1c949b5993e0f81b1

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
19a5c774800ccb30ca4a08785ba59041

SHA1
cd7d0c8a484d8ee0496c94532ca15b6efdc22de6

SHA256
7011bfdf3f18f21c5a140dc941ca2137a2375f63aee71721c7e8d24343b14924

SHA512
5280507e7d413b594216f1243e6dc89d06d60a6be08e46b87dba7c514b643c84b997984d166b905fd1d90644c0a4d5a1a14371968e49894c6aa7ef05877f652f

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
efb1c14c28bee9aa9a94a0217a416b7a

SHA1
a4f4d0a01541b17942867b35601d971786690a6f

SHA256
af721195767e5cd3f05b3355d73c2ecc64af1656592f8e638bd12f7bd84352da

SHA512
ca2e87bee146c1cad073e9a21d04b179f820d8553bfa9f64aa7b79802719762025dcf8da1cb4d86046ffe682240fc2b807008aa7ec3ab632bf017479b4babd0d

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
27c84ad3187ffb9445ce04b8db21d3b3

SHA1
7ef17260defac5820543b0dfad4e6bc44242036d

SHA256
5815f33862195aca9abd16677eb79167621645dc6eadc48258bfbf79e8e976f8

SHA512
c0bc4e6ea9fafbcdba7909d0f3f5615fe77eeeaa5246a68c1562f99991b23120ef456ce06b05f73cefb9de7c14946c5b46ba2ccb36a9797b49ed32c1918b0766

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
6fe1e7107684a0a9138481e50aa17d07

SHA1
28de90d7c4a2ba125980f2e3a0cb76c51817ad8c

SHA256
19cfe40f9b36f847e7ca017b806ca784228fc99d2556342a666d0d9717d0f1c0

SHA512
b7b201131a4365364a11b7f51bda76c1005a4aca2e570a74e69fb7d320d85610fba22d89fe1a8c5e6cfc84e99fc46f4dc5bae06e026e4a70b4b7184c7777cda4

Download Submit
memory/552-136-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/552-224-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/764-229-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/764-305-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/868-726-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/868-712-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/912-638-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/912-302-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/952-390-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1140-181-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1140-165-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1144-281-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1144-599-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1148-218-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1148-287-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1196-649-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1196-306-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1312-575-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1312-280-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1328-650-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1328-665-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1420-754-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-759-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1440-141-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1440-228-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1520-250-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-579-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-549-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-300-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1664-226-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1756-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1756-210-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1756-597-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1756-116-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1760-677-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1760-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1800-636-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1800-616-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1808-194-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1808-67-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1808-68-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1808-73-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1868-607-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1868-593-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-78-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1908-53-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1908-52-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1908-46-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1908-45-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2140-101-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2140-115-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2140-108-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2140-103-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2140-114-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2140-201-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2160-249-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-382-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-259-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-702-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-195-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2264-274-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2264-198-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/2272-576-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2272-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-275-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2304-574-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2316-745-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2356-748-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2468-545-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2468-653-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2468-524-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2468-637-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-721-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-729-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-113-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2524-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2528-18-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2528-24-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2528-128-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2528-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2556-620-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-676-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-91-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2656-197-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2656-84-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2656-85-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2664-253-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2664-482-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2708-270-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2708-547-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2760-248-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2760-151-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2788-288-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2788-615-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2860-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2860-31-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2860-35-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2860-65-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2880-704-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-692-0x0000000003BF0000-0x0000000003CAA000-memory.dmp

Filesize
744KB

Download
memory/2880-679-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2968-177-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2968-257-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2976-269-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2976-186-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2988-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2988-83-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2988-162-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2988-8-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2988-1-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download