736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b

Analysis

max time kernel
137s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Size

731KB
MD5

373c3855a2d7e25e0a99b88a46ee27fa
SHA1

649190eab272315eed3d6b0ce4ae20b727e2832e
SHA256

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b
SHA512

40fd31cf0c33fef14b47437d21a22509f8cf6444d6033efc78914250a5e4b34c46ab8b55751f58ebf4363387f4870e1381e2b045b3315ca245f41801fdcb65f3
SSDEEP

12288:rABCbwfMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:rABD0SkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exemscorsvw.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exemscorsvw.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
2708	alg.exe
2600	aspnet_state.exe
2452	mscorsvw.exe
580	mscorsvw.exe
1384	mscorsvw.exe
2488	mscorsvw.exe
1884	ehRecvr.exe
1032	ehsched.exe
768	elevation_service.exe
992	IEEtwCollector.exe
1376	GROOVE.EXE
320	maintenanceservice.exe
2908	msdtc.exe
1964	msiexec.exe
2736	OSE.EXE
2540	OSPPSVC.EXE
1716	perfhost.exe
2460	mscorsvw.exe
2464	locator.exe
1792	snmptrap.exe
2320	vds.exe
2284	vssvc.exe
1320	wbengine.exe
1676	WmiApSrv.exe
2492	wmpnetwk.exe
1580	mscorsvw.exe
2480	mscorsvw.exe
2888	SearchIndexer.exe
900	mscorsvw.exe
564	mscorsvw.exe
2956	mscorsvw.exe
2288	mscorsvw.exe
1244	mscorsvw.exe
2228	mscorsvw.exe
268	mscorsvw.exe
920	mscorsvw.exe
1824	mscorsvw.exe
1600	mscorsvw.exe
1652	mscorsvw.exe
592	mscorsvw.exe
2756	mscorsvw.exe
368	mscorsvw.exe
2204	mscorsvw.exe
1600	mscorsvw.exe
900	mscorsvw.exe
592	mscorsvw.exe
2112	mscorsvw.exe
1468	mscorsvw.exe
2156	mscorsvw.exe
984	mscorsvw.exe
584	dllhost.exe
1284	mscorsvw.exe
1244	mscorsvw.exe
368	mscorsvw.exe
1996	mscorsvw.exe
976	mscorsvw.exe
2088	mscorsvw.exe
1268	mscorsvw.exe
2208	mscorsvw.exe
1052	mscorsvw.exe
2108	mscorsvw.exe
2640	mscorsvw.exe
2672	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
464
464
464
464
464
464
1964	msiexec.exe
464
464
464
464
464
744
464
976	mscorsvw.exe
976	mscorsvw.exe
1268	mscorsvw.exe
1268	mscorsvw.exe
1052	mscorsvw.exe
1052	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
2384	mscorsvw.exe
2384	mscorsvw.exe
856	mscorsvw.exe
856	mscorsvw.exe
3060	mscorsvw.exe
3060	mscorsvw.exe
1400	mscorsvw.exe
1400	mscorsvw.exe
1880	mscorsvw.exe
1880	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
976	mscorsvw.exe
976	mscorsvw.exe
2592	mscorsvw.exe
2592	mscorsvw.exe
1364	mscorsvw.exe
1364	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe
1284	mscorsvw.exe
1284	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exealg.exeGROOVE.EXESearchProtocolHost.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\12249b92ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\vds.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43F3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2AF7.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP344A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP392A.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3C07.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F2B.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6558.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exeehRec.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeGROOVE.EXEmscorsvw.exemscorsvw.exeehRecvr.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 01000000000000003039de99bc99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009091029fbc99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0d3f8a0bc99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ehRec.exe736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

pid	process
1312	ehRec.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: 33	2312	EhTray.exe
Token: SeIncBasePriorityPrivilege	2312	EhTray.exe
Token: SeDebugPrivilege	1312	ehRec.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeSecurityPrivilege	1964	msiexec.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe
Token: 33	2312	EhTray.exe
Token: SeIncBasePriorityPrivilege	2312	EhTray.exe
Token: SeBackupPrivilege	1320	wbengine.exe
Token: SeRestorePrivilege	1320	wbengine.exe
Token: SeSecurityPrivilege	1320	wbengine.exe
Token: SeManageVolumePrivilege	2888	SearchIndexer.exe
Token: 33	2888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2888	SearchIndexer.exe
Token: 33	2492	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2492	wmpnetwk.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeDebugPrivilege	3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	3000	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeDebugPrivilege	2708	alg.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe
Token: SeShutdownPrivilege	2488	mscorsvw.exe
Token: SeShutdownPrivilege	1384	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2312 EhTray.exe
2312 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2312 EhTray.exe
2312 EhTray.exe

pid	process
2312	EhTray.exe
2312	EhTray.exe

pid	process
2312	EhTray.exe
2312	EhTray.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
900	SearchProtocolHost.exe
900	SearchProtocolHost.exe
900	SearchProtocolHost.exe
900	SearchProtocolHost.exe
900	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
700	SearchProtocolHost.exe
900	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 1384 wrote to memory of 2460	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2460	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2460	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2460	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1580	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1580	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1580	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1580	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2480	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2480	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2480	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2480	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 900	1384	mscorsvw.exe	SearchProtocolHost.exe
PID 1384 wrote to memory of 900	1384	mscorsvw.exe	SearchProtocolHost.exe
PID 1384 wrote to memory of 900	1384	mscorsvw.exe	SearchProtocolHost.exe
PID 1384 wrote to memory of 900	1384	mscorsvw.exe	SearchProtocolHost.exe
PID 1384 wrote to memory of 564	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 564	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 564	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 564	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2956	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2956	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2956	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2956	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2288	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2288	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2288	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2288	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1244	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1244	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1244	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1244	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2228	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2228	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2228	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2228	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 268	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 268	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 268	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 268	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 920	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 920	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 920	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 920	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1824	1384	mscorsvw.exe	SearchFilterHost.exe
PID 1384 wrote to memory of 1824	1384	mscorsvw.exe	SearchFilterHost.exe
PID 1384 wrote to memory of 1824	1384	mscorsvw.exe	SearchFilterHost.exe
PID 1384 wrote to memory of 1824	1384	mscorsvw.exe	SearchFilterHost.exe
PID 1384 wrote to memory of 1600	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1600	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1600	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1600	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1652	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1652	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1652	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 1652	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 592	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 592	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 592	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 592	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2756	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2756	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2756	1384	mscorsvw.exe	mscorsvw.exe
PID 1384 wrote to memory of 2756	1384	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
"C:\Users\Admin\AppData\Local\Temp\736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 1d8 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 258 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 28c -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 254 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 264 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 258 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b0 -NGENProcess 288 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 2a4 -NGENProcess 1ec -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 260 -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 274 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1f0 -NGENProcess 22c -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 22c -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e8 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 274 -NGENProcess 260 -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1c4 -NGENProcess 1f0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 214 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2b4 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 260 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e8 -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2b4 -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 260 -NGENProcess 21c -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2ac -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 250 -NGENProcess 294 -Pipe 21c -Comment "NGen Worker Process"
2⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 2b4 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 1e8 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1e8 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 1e8 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2b8 -NGENProcess 2b4 -Pipe 258 -Comment "NGen Worker Process"
2⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c8 -NGENProcess 1c4 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1c4 -NGENProcess 1e8 -Pipe 250 -Comment "NGen Worker Process"
2⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2d0 -NGENProcess 2b4 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b4 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d8 -NGENProcess 1e8 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1e8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c8 -NGENProcess 2e4 -Pipe 248 -Comment "NGen Worker Process"
2⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2e8 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 1e8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 1e8 -NGENProcess 2e8 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2c8 -NGENProcess 300 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 1e8 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 300 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 318 -NGENProcess 2e8 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 300 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 300 -NGENProcess 2e0 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 1e8 -NGENProcess 324 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 32c -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 300 -NGENProcess 334 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 338 -NGENProcess 330 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2f8 -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 340 -NGENProcess 300 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 31c -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 31c -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 300 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 330 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 31c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 300 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 330 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 31c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 300 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 330 -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 31c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 300 -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 380 -Pipe 37c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 368 -NGENProcess 300 -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 388 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 300 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 330 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 300 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 330 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 330 -NGENProcess 398 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 38c -NGENProcess 3ac -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3ac -NGENProcess 300 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 330 -NGENProcess 38c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 3b8 -NGENProcess 300 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 330 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c4 -NGENProcess 300 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 330 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 300 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 330 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 300 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 330 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 300 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c0 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 330 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 300 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3c0 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 330 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:984

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:992

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:1824

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:700

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
b880a2edd1119882a7e42c65990a097a

SHA1
141a180ea582567eaa526139d5e7479db48ace37

SHA256
97f57aa7ff42dff1dd73d6e9633e69cd5f525bd9391f3854c5b06504485f35e9

SHA512
95cc3afb642211a671812bb18e5daa2c4c7c2b2508cca017295a3c981ae25272c254584a0c5e003a0a2f07786c08965034c66e0898297ddb5bb5b0617fc30380

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
03eabe9b4b4d5b6c71a41a34fe0fcbcf

SHA1
20f3e4342622d4ad118c368bdd14b81d428bcd00

SHA256
fd87acf13d9a022ea3fea7a279b8d7ce1a412635502aa53b88182e40258f2d80

SHA512
52e90ed6477a80ade3116663543c2eed310be00aa76e9abc8653d37755a7fb5f91ee09643b2e5d5eb5d7d2f8b0feb60c7aa298320eb9ece7f707d1f23a300e8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
6bc59b010e42ebe57aabe49e77a7110d

SHA1
3a6ab390196a9f5cf5c6804bdb6e86d502c6ee4d

SHA256
b309ddd637306429e51caf199a9a1b02e9f461cd460c9dee2e0271873c009278

SHA512
fb29b5b5acfdf8c784380db65e73506a078f3d30cebed5b7468e21eae9d5239412d752c555e484de73701247de00c2727867df958fbc912b9ccf1cae4858721e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
13a18048c301cccb513dab2ccc464f8a

SHA1
30e0f8bfb9d13a33325112c548a933231f65821b

SHA256
8901bd5e421968d8f6a48ad9f79a4732f15da70722fe706e6feff6eefd18a4a9

SHA512
247fd14af3723283911c8ba8f2a48bc0213ffd126bde7a3052f3d630bbe9d469902623ca2ae1b03738dd13df96fb4de5982bf8aadb826e6dfbcfc4a5f9243b3e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
719c773d250d81e8457c9bd94aae5e90

SHA1
356e2235322b9e7cf46a3529d205b8fb41d713de

SHA256
8b39cdeb1286184bb71e6546bbca455442d2ad8f2727efb2bdcb9d3eecacbbd2

SHA512
ad2fc37d5380ae3e9685c454504f9709b8ca1fb453a4584dbe51e6f4950cf0df1540b238f8417d26d51b15ddfc33049f41afe09f91c154a4c56ba6a6633364bb

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000
Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
aa169d5932a07c50d2ae8675ba93f2a7

SHA1
43872346c583bf99463ee6601bf272c82fd6d597

SHA256
2efb238e71256466cb8c8abc45a0dc851d41fec2acd9b6297623b9ec36f5d66c

SHA512
b954be2de1ee75ee9df9b9a35cfd561ebebdc94d13abd47f69d46ce1e4a9fbf3d26905589bf75c0be8df593bbeb6d3f5fbbffe4229a87641a4b2fd5abe2a527a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
43fdda11db266d072cb85bfd396272a7

SHA1
c48c99ae589d0d18b18c95ec75f3ab1a26d6b5dc

SHA256
d6ec6c950ba1676426f4e3b67685c006ff500502660d143f4ada0d3baa6bb5e1

SHA512
68f4c5cfd0f83d7f391c6cae0d66a3268bf2d2ed55ba8a4b2311a038a3f2376ce738619346dad1ba7372ec80b00d1e7e66cd4805c0cf10cacfa0cb07d3e2e5b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
cb1236e18359fad94ec4a3870d4e5e04

SHA1
567ed971c5fdc77e6bc6523bbd40649719f83b29

SHA256
78e52daa07fad2312a3b60ac8fc5909b19e77d33ba27d4cb30a892498087a4ba

SHA512
cd3a61bf3329777e31bbd2d04bceb7ab555556532ab3cf163f9e230ff13af7faad629d1e98d28623ed3627ffc7f17fec8e63a521e9d591733de9856efa004bff

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
ba37c9ab7dfce2d39732b07a198d8f4d

SHA1
663f7a47ee4ebe8390c193fbd56da6aedd6fcf73

SHA256
fdd19774f5429520044cffb759837925aa2d50169b0e2ba52f34b69417d7b833

SHA512
d3c51a8f4c2bfcb7c06a7fb5e92f3c7e05b54694c88c33fbd90dd765c19538e61b61fce59b9c35efae184922bb496e86392f3799e7e0670467741cd329da7cf7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
3e8e34e623a3232cc1aeeb47be92a664

SHA1
ea48df0fdde4bf2d7afe82b552e1c59510a8d15d

SHA256
a48c6ffa89c11d885c110f1bb72a61126570e0d84aa0a294e6aeb9d5fbdc1977

SHA512
78487265bde39883852a8cabae4f3944a4d2169ee3efe45f4538cc48fae93f18c0d78096d2cdf191efd34478e4dfa40ff33dd43ecb19bd2b309dc1d48c4050bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
49adca4d158987ee346e200a46dc4b03

SHA1
0ba1203380f69cbe6b58595156227321145e33b0

SHA256
6aa1066583a8395cad8b6c148b80e6aa9fe82e043cfe5b8a766cf5b1b1366dfb

SHA512
9f3dcdc45718fe2d8a1f9b3f1ce2463581b00fb6ee8b65223c55eb7bd2dadc609cc96cd67ad91203ac6c6d54bc44b4c650b932e24d21eb38d6c48ecdfc0491e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
30c84f3442a6d522d805b3a2e86cd2a0

SHA1
2182e674a632a5a2e68706abee149f5ae2c42839

SHA256
9382916d95d47edd28da107877d1bb31204720d6b88e65194cf2087a2be59ca3

SHA512
700233a93afaef271bf1a464fb8707b3cae52d56d98a9ea88ed2b830ffc62b6d6373dc5cec7bf1fe4d9a86be4cc7290dba4ac1dd744563cdc8a833a106054b3d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
04f087e326fa86fb72f92b3eb37a0f87

SHA1
a965cd7090e65983eb742f9961f01f028aedaae4

SHA256
cc4c992062507ec420ed8f0fa8b27721aebe4cdbada89f08cad1e8982014b821

SHA512
531110320add80c6629cbcd7302a33e156a704d80394ad5c7e5ea8bd9a094ba4a41b190afc712bd63b5f1d871a212a7c61b6171ccd0ba48f0eb5a32ba27b113d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
74f6dfc30d4fd2740e5762bb7fd4557e

SHA1
4ad8871258a525c4b74ce8f3f45ae5a55fbbd353

SHA256
8fa31f2d65443832aa191fa9382e8e24cfdf81a4a42a3afedc7df68e6a14307b

SHA512
024f8cfef14f7b8aa1a233515ab69d46858ac53eaef645c6a65346e24c60d0c65a9c1327c98fb0f0ed19bb62b04e0d672178de6884ac94d0de601a48915a2278

Download Submit
C:\Windows\System32\alg.exe
Filesize
644KB

MD5
652fb5a550671e27fbc26f41e7a3407b

SHA1
a5d244ffe5b392838ce0eed7338571f77fbed1d0

SHA256
64b33a5a7554c49969770db4c5351d65d45397f0ac5c4cba2272f2e2fa6bef3a

SHA512
a3955619d2e39a3ece6c5f61b2a69787ea60e973af7fd1961f00a579478bdbf583bfeca0911ad6bb9a90c2b04b498618c01e4bfeee3e0d02437f2066ad1e3818

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
123f8ab25fb53aeda439bbc67940dc59

SHA1
8fe733961667d5094da3067553f8d0819eef0021

SHA256
ddd98ae226e92a554ce38b10015a1c0639451ab482d93866a4a49daf840d5fd0

SHA512
6c2c5d473e11796ab0601d1ebf8241576cf66233c6dcad59f55d2c5f8bfd5d3a235d2d368669026c3634d7083b592146f4bbd070fbe33922a4ae5639e685b4e7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
a7569ca84c87918ac94262fe53d34128

SHA1
81f626d9736e1a3eec14c448d402615c8755b670

SHA256
9328eeeeb53ab87b86104803e15d8d5c04ed4e6e561a79a3cfd8c3e86879744c

SHA512
5ef3de9835d81ecefe9ba1c40875a706c38dfb1fe02a752a1429b0931cc6a115e1817d0916aec03015897fafc8da92cdc0b0d0c475ee527ec277737a3f814c21

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
6c972230aceea962f5420e58bad44152

SHA1
c14d26efdcbb316da042eae5b0bd67387f60e2d0

SHA256
9fb20edb09aae4292668d04b9de537a5ff9f1d944b3912470d88d225fe3ca29f

SHA512
531dfcb31370118801a54e83a70fa6bf3e6491a3ae729372d95db5b1bbb07b78613b4809d4185a023b5531718501d094449bf617512efbc6498d5e8fdb2430d9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\22c79dea0b2199e8f5d3b00d9c136ebd\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
d7eab6d29e5897583bed8884b5f2daf1

SHA1
3338c8f0be1d38232a60d0c54b32335c433150b9

SHA256
2b961b265981dabbaea055e9a16f01abe946a9662379843266db74beff9b4945

SHA512
9fc8cad774c0c3ad75f81a007ae16f119ba4fd88ebbadd3bee6b464b9aad7dcade3309a8d4822f0f682af173af71809dd6b91494f0f0fd120fd808c3de1ecc6c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f17bf22d2e9a704dfc5bee5f423828f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
a63fd11e7f19bb12f311dfef0c5f0e11

SHA1
2c56b065250d849e5e01e500776d6e0baa5ffeb1

SHA256
e125a52527092e74a65743af21ea91028133a5bc1ab2bb194e71cc67826a89c4

SHA512
19b0cd5b0dfad44946e985cdcc71336788b9bafa9809e59186f4de87140f23911389f9191d54be8f220d0db037a464b05a2de63cf774d8568fcc1e6f7539f896

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\96d01433c71fb96b425778870fe972a3\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
9096559d323ee1c0f463b5e7080734fd

SHA1
526b70f5de2a65687269ba128bab4163e745febd

SHA256
36e7ae2818c18449072e96bd76f6ef36f2e8ea40d546bbd8e4d5562fa30ee49f

SHA512
a6656325e3f4408e32cff478490952bf52ec15fcbed0f883e9637b85b4c89d0acf89eea5dfe564a0dffe0459d56faa2217473366537cacf2a91dd7c631647238

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f6aafb58fdc1d6a31147aa777abe98b6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
7db71ac552ab06db76705fde07a4be34

SHA1
774b57e082a1d379a4953d4453c05e69ec1159a1

SHA256
def56d7efdfb0c9abacef103c09789c118dfd6dbb580486c2e807c760938a81e

SHA512
0b7fadf2aef201aa2df1cd3eb9c68dd71af52de55a13d1b10593eb5a6238ae5be42d556be9a59c2e178f36f713d83bc13143b0f86e5ccdca1fe1f1a79a08d452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
76253c5344bee5ef4f68556b72641e34

SHA1
dbd02313401ed222d97e60340031269b1bc4c759

SHA256
4cd9783d46d21c447977dadd2f0cfd13b04988300fcc54800d97359d7a61f64a

SHA512
b2a841c00438540a634163427abf38329a23c2c7602f4f0272d4a4585c12d943baf6a7c42ae4b757dd321c393af78865c742109630a79193db87a28bf0bfab89

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
73f004edea1adfbfa19aec742efbd694

SHA1
19d939ece83142063be6ceaa4bf3ff7de422a440

SHA256
2619c3bcf8d444727b39df6fb0ace1f4ad07eb914552da22b988ddffe500cb20

SHA512
01750580e99437c862d7f3243d6ed2f6475e85fc2e01ed7675120d35aa01972d56cf736f86a1caec551464b93e293072d125a7f5b43a9867f9d00f5f80577bf6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
201b565e36348cd75b43ec30532bd06c

SHA1
d751694c01eda1e34b2b81558b498392b35cfe4f

SHA256
4086096d9ebfd70998b160f3c79b70573b7229bbcb25b9b0057be4a5a498d0d5

SHA512
82a5176d76fbcc2306d0a22f68f3128abe9d40202ef3315ba890321f472a296000735ad1ae8565e319811820a532360765df6920f8af0e6a08ab1aacd1b14d99

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
ecfe36bdbdd3c1da02fc701ac70e166a

SHA1
99b8f4460aedb9afd8777d3b48eca62e6d26889f

SHA256
531703c179c6403af5a7bb1b0147282f6f54c76f9da7edb76c231c3f276db9c9

SHA512
a78d1923a7ff69bba097f08c6cc6c2920a45c8fa4b6512a2e386760868cc701df365217d02a0b6f6eb3fc96a421c5454c08fe3e0a54444fa938d531dea041fc3

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
68916e31b70a63b1ba3d32e02355c409

SHA1
f5fca0fb084ce724bbea7f310d50aef1656ab4cb

SHA256
196d9a41daca9132cbfa546ce4041dd1fcd02129dbcdbb5a74f36f2027233a2a

SHA512
6ebedbe8283dc6df2c7590b101d56eaadb4f447886b2c18e2ff086e6a7aaf547a3ab889deb1da58bd9fa959ba7ab0a6491a6ad767afd840d03052a0ca52b6e58

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
37b7e98b1f6d12c4ce92f41b2a35477a

SHA1
220ba5ed82173138a394059632e529f117d5fdb4

SHA256
e5c7ed5e8e96f35d356ddf3d7c3e5362b32f81a0d4365906149a54e42a7c2a99

SHA512
e81c2c5be73da54e3cf06f5a06d4222694440a4a7138507f014d6a3bc058fdd6dc1d6bf9957b140cb84659d0e4235cb95a96b1104f745f5c9dd60435902f9914

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
b9bcf04563e490ed6aa3efd7e799e5f9

SHA1
3a7069eb7fde7e15972c681251c2a99f65cc540a

SHA256
f3701d5848193eff73ae62ca9dc6a4ad9555704f679fdfb9e75408378afc527f

SHA512
06fedefd6148791ab3ecdff7b1bdb6f923d8ce67970c8a243bcaeba7cfc256f8d61a85c82fbcf66583268ca4b6236456f15634a8ffc47d521300e133b1915299

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
a972318d6607a70ed1cb91ed13e83a4f

SHA1
b51b634c6a639b37bfbfb8578d1a761ac00b4302

SHA256
d371e452a5ed2984cb06c47663ca3229388aa4b0f0bc46d5b426a0728b48dcfc

SHA512
73c9b26f7650e84b7b4a4c9cd9a4fd1bc321abf41b1e97fad8c5eb83002d111b596ab434f1c811ba9995a6493cbee010dd73b7a14698c36e7bd5f7de3ff0afdb

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
930f9a8ea5327d7982e7e233eb3f956d

SHA1
b32ba67062c9827da01462d1c5b4dd098c1d6ccb

SHA256
4531f8a225f72e6ad14419d355ac5f9b0353f81b43bf636c64303dae0f8817b0

SHA512
6a695aa1e5ce2b4215d4363741d4bbbe2a787c2cb387f6b567cda00713f495722fd9fd233fc49da956049569bf16a7f476f7df17bac04f4e3184a22667f176cb

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
89958c50b0a83950e832df19ca76ef87

SHA1
bb7d8dcc1fed63644d2c1b85c3254422393a7c90

SHA256
b3fcbe25ca2bb0e2d9362d9170dcacd98f1c16ccf5c79885af86a8b5896b89bf

SHA512
0c6ac099542f28e2cd984f6470f5cafba44c8e539e489a10d03cd11a986ea059ed36c402ae5d0ba1927ffdbd4ecc1f2cc80fdc32aa29097c8118ec38ba62e290

Download Submit
memory/268-639-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/268-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/320-185-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/320-180-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/368-767-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/368-777-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/564-570-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/564-530-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/580-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/580-104-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/580-61-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/580-55-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/592-742-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/592-739-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/592-844-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/592-833-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/768-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/768-147-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/900-815-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-834-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-535-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/920-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/992-274-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/992-157-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1032-244-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1032-132-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1244-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-629-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1320-317-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1320-613-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1376-307-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1376-169-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1384-73-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1384-74-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/1384-79-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/1384-204-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-859-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1580-363-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1580-386-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-817-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1600-720-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1652-734-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1676-618-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1676-338-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1716-388-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1716-245-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1792-308-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1824-704-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1824-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-238-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1884-111-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1884-112-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1964-329-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1964-213-0x0000000000440000-0x00000000004F2000-memory.dmp

Filesize
712KB

Download
memory/1964-202-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2112-855-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-845-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2156-870-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2156-882-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2204-802-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2228-619-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2228-642-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2284-310-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2284-566-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2288-601-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2288-614-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2320-600-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2320-311-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2452-47-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/2452-99-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2452-40-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/2452-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2460-263-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2460-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-276-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2480-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2480-383-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-218-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2488-94-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2488-95-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2488-88-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2492-358-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2492-638-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2540-382-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2540-240-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2600-138-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2600-29-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-28-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2600-35-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2708-23-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2708-110-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2708-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2708-15-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2736-362-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2736-224-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2756-771-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2888-699-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2888-389-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2908-188-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2908-316-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2956-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2956-602-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3000-72-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3000-0-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3000-1-0x0000000001BF0000-0x0000000001C50000-memory.dmp

Filesize
384KB

Download
memory/3000-7-0x0000000001BF0000-0x0000000001C50000-memory.dmp

Filesize
384KB

Download
memory/3000-9-0x0000000001BF0000-0x0000000001C50000-memory.dmp

Filesize
384KB

Download