52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27

Analysis

max time kernel
137s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
Size

1.8MB
MD5

f7c1aad19c85bf3ecf784f5d45feb6bc
SHA1

753c45407c6d0c4897ce36cf06ea142f8c943fba
SHA256

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27
SHA512

885204f007c8320ae68f94a43cbd0ee5fc09568d6756ce8134dee1084f339a745554c9e8510ca43a9c8d866d4dc50c1b912545c6594e9bcaa3c5aaa6cecd0ed4
SSDEEP

49152:Sx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WASf+HEB0OTx8LLoZluFCmEJ:SvbjVkjjCAzJl2HEB0tv0li5C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exedllhost.exemaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
3032	alg.exe
2376	aspnet_state.exe
1928	mscorsvw.exe
2540	mscorsvw.exe
2340	mscorsvw.exe
804	mscorsvw.exe
2052	ehRecvr.exe
268	ehsched.exe
692	elevation_service.exe
2004	IEEtwCollector.exe
2640	dllhost.exe
2660	maintenanceservice.exe
1396	msdtc.exe
1348	msiexec.exe
1504	OSE.EXE
1068	mscorsvw.exe
1128	OSPPSVC.EXE
596	perfhost.exe
1964	locator.exe
1836	snmptrap.exe
2892	vds.exe
1736	vssvc.exe
1648	wbengine.exe
2184	WmiApSrv.exe
1792	wmpnetwk.exe
2372	SearchIndexer.exe
2912	mscorsvw.exe
2348	mscorsvw.exe
2516	mscorsvw.exe
2364	mscorsvw.exe
1064	mscorsvw.exe
2608	mscorsvw.exe
1900	mscorsvw.exe
2792	mscorsvw.exe
2496	mscorsvw.exe
2568	mscorsvw.exe
1156	mscorsvw.exe
2504	mscorsvw.exe
540	mscorsvw.exe
2960	mscorsvw.exe
896	mscorsvw.exe
2324	mscorsvw.exe
1688	mscorsvw.exe
2808	mscorsvw.exe
2268	mscorsvw.exe
2792	mscorsvw.exe
2516	mscorsvw.exe
2316	mscorsvw.exe
2324	mscorsvw.exe
2820	mscorsvw.exe
1552	mscorsvw.exe
696	mscorsvw.exe
2004	mscorsvw.exe
2100	mscorsvw.exe
2028	mscorsvw.exe
932	mscorsvw.exe
1784	mscorsvw.exe
1464	mscorsvw.exe
1816	mscorsvw.exe
2508	mscorsvw.exe
1484	mscorsvw.exe
2444	mscorsvw.exe
108	mscorsvw.exe

Loads dropped DLL 53 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
1348	msiexec.exe
468
468
468
468
468
756
2028	mscorsvw.exe
2028	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
108	mscorsvw.exe
108	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
292	mscorsvw.exe
292	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
832	mscorsvw.exe
832	mscorsvw.exe
584	mscorsvw.exe
584	mscorsvw.exe
2428	mscorsvw.exe
2428	mscorsvw.exe
1524	mscorsvw.exe
1524	mscorsvw.exe
368	mscorsvw.exe
368	mscorsvw.exe
896	mscorsvw.exe
896	mscorsvw.exe
2604	mscorsvw.exe
2604	mscorsvw.exe
612	mscorsvw.exe
612	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2364	mscorsvw.exe
2364	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

aspnet_state.exe52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exemsdtc.exeSearchProtocolHost.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fce123f7ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exemscorsvw.exemaintenanceservice.exe52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\goopdateres_nl.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\GoogleUpdateSetup.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\psuser.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\goopdateres_iw.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\goopdateres_ms.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\goopdateres_zh-CN.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\psmachine_64.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9405.tmp\goopdateres_es-419.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT9406.tmp	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exedllhost.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61FE.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP64AC.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73E8.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7639.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5715.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55AF.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0866D4E6-BFF9-49C9-A6FF-A0049467CB75}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exewmpnetwk.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b009c44b7f99da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007074304b7f99da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2140 ehRec.exe
2376 aspnet_state.exe
2376 aspnet_state.exe
2376 aspnet_state.exe
2376 aspnet_state.exe
2376 aspnet_state.exe

pid	process
2140	ehRec.exe
2376	aspnet_state.exe
2376	aspnet_state.exe
2376	aspnet_state.exe
2376	aspnet_state.exe
2376	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exemscorsvw.exemscorsvw.exeEhTray.exeaspnet_state.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2888	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: 33	1552	EhTray.exe
Token: SeIncBasePriorityPrivilege	1552	EhTray.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2376	aspnet_state.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeDebugPrivilege	2140	ehRec.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeSecurityPrivilege	1348	msiexec.exe
Token: 33	1552	EhTray.exe
Token: SeIncBasePriorityPrivilege	1552	EhTray.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe
Token: SeBackupPrivilege	1648	wbengine.exe
Token: SeRestorePrivilege	1648	wbengine.exe
Token: SeSecurityPrivilege	1648	wbengine.exe
Token: SeManageVolumePrivilege	2372	SearchIndexer.exe
Token: 33	1792	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1792	wmpnetwk.exe
Token: 33	2372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2372	SearchIndexer.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeDebugPrivilege	2376	aspnet_state.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeDebugPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe
Token: SeShutdownPrivilege	2340	mscorsvw.exe
Token: SeShutdownPrivilege	804	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1552 EhTray.exe
1552 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1552 EhTray.exe
1552 EhTray.exe

pid	process
1552	EhTray.exe
1552	EhTray.exe

pid	process
1552	EhTray.exe
1552	EhTray.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
1724	SearchProtocolHost.exe
1724	SearchProtocolHost.exe
1724	SearchProtocolHost.exe
1724	SearchProtocolHost.exe
1724	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
1724	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2340 wrote to memory of 1068	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1068	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1068	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1068	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2912	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2912	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2912	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2912	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2348	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2348	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2348	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2348	2340	mscorsvw.exe	mscorsvw.exe
PID 2372 wrote to memory of 1724	2372	SearchIndexer.exe	SearchProtocolHost.exe
PID 2372 wrote to memory of 1724	2372	SearchIndexer.exe	SearchProtocolHost.exe
PID 2372 wrote to memory of 1724	2372	SearchIndexer.exe	SearchProtocolHost.exe
PID 2372 wrote to memory of 1968	2372	SearchIndexer.exe	SearchFilterHost.exe
PID 2372 wrote to memory of 1968	2372	SearchIndexer.exe	SearchFilterHost.exe
PID 2372 wrote to memory of 1968	2372	SearchIndexer.exe	SearchFilterHost.exe
PID 2340 wrote to memory of 2516	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2516	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2516	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2516	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2364	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2364	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2364	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2364	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1064	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1064	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1064	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1064	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2608	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2608	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2608	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2608	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1900	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1900	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1900	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1900	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2792	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2792	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2792	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2792	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2496	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2496	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2496	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2496	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2568	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2568	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2568	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2568	2340	mscorsvw.exe	mscorsvw.exe
PID 2372 wrote to memory of 2948	2372	SearchIndexer.exe	SearchProtocolHost.exe
PID 2372 wrote to memory of 2948	2372	SearchIndexer.exe	SearchProtocolHost.exe
PID 2372 wrote to memory of 2948	2372	SearchIndexer.exe	SearchProtocolHost.exe
PID 2340 wrote to memory of 1156	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1156	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1156	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 1156	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2504	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2504	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2504	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 2504	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 540	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 540	2340	mscorsvw.exe	mscorsvw.exe
PID 2340 wrote to memory of 540	2340	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
"C:\Users\Admin\AppData\Local\Temp\52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1928

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 278 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 1e0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 274 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 250 -NGENProcess 288 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 250 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 290 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 290 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a8 -NGENProcess 2b0 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 260 -NGENProcess 224 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2cc -NGENProcess 25c -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 1cc -NGENProcess 270 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1cc -NGENProcess 2dc -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2e4 -NGENProcess 2c0 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2b0 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 30c -NGENProcess 2fc -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 314 -NGENProcess 2b0 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 30c -NGENProcess 31c -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 324 -NGENProcess 314 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 314 -NGENProcess 310 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 324 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 314 -NGENProcess 32c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 33c -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 314 -NGENProcess 344 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2b0 -NGENProcess 30c -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 30c -NGENProcess 330 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 34c -NGENProcess 344 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 30c -NGENProcess 354 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 350 -NGENProcess 344 -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 344 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 34c -NGENProcess 30c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 348 -NGENProcess 35c -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 364 -NGENProcess 350 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 354 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 30c -NGENProcess 348 -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 348 -NGENProcess 32c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 374 -NGENProcess 36c -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 32c -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 32c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 398 -NGENProcess 32c -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 37c -NGENProcess 358 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3a0 -NGENProcess 384 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a0 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 32c -NGENProcess 384 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3a8 -NGENProcess 398 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 380 -NGENProcess 3b0 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a4 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 390 -NGENProcess 398 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 384 -NGENProcess 398 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 384 -NGENProcess 3b4 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3b0 -NGENProcess 398 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3c4 -NGENProcess 3d0 -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b8 -NGENProcess 398 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3cc -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3cc -NGENProcess 3d4 -Pipe 398 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3e0 -NGENProcess 3b0 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3b4 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3cc -Pipe 3bc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3e0 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3e0 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3d8 -NGENProcess 404 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 404 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3e8 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3b0 -NGENProcess 3d8 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 410 -NGENProcess 3cc -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3cc -NGENProcess 3e8 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 418 -NGENProcess 3d8 -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 414 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 414 -NGENProcess 3cc -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 424 -NGENProcess 3d8 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 41c -NGENProcess 42c -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 410 -NGENProcess 3d8 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 434 -NGENProcess 420 -Pipe 430 -Comment "NGen Worker Process"
2⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 3f8 -NGENProcess 3d8 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 3f8 -NGENProcess 434 -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3cc -NGENProcess 3d8 -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 440 -NGENProcess 410 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 410 -NGENProcess 438 -Pipe 448 -Comment "NGen Worker Process"
2⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 44c -NGENProcess 444 -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 424 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 450 -NGENProcess 3f8 -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 444 -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 424 -NGENProcess 45c -Pipe 450 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 440 -NGENProcess 444 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 460 -NGENProcess 454 -Pipe 438 -Comment "NGen Worker Process"
2⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 45c -Pipe 44c -Comment "NGen Worker Process"
2⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 444 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 454 -Pipe 458 -Comment "NGen Worker Process"
2⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 454 -NGENProcess 464 -Pipe 45c -Comment "NGen Worker Process"
2⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:268

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:692

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2660

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
2⤵
PID:1968

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
07a6415ee614cb9da3de1ed9d165a201

SHA1
9e3db4002c924e70ced8d559e171e22bb116b72e

SHA256
53253c58235c0577ce8ffcdcc48d38817f11bdba38c0bbbdcd1982abf44df381

SHA512
4fc8ce6202d7b8fd11354896ead04a6155d2e992271b93906d6c307dc7ae287b5ae061ac613388556f92dfa94ea431ebf4fabed697fd2d6d415f9e5b7d671253

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
2b66131a8ef4f35ac21e2bb0cec2a794

SHA1
67a249a8baa19affcf5ff13e39a6a08770d4a79d

SHA256
659bd6943c5b1f33dfc484b6202e789009aa85f8b813c928408a8f629b83df39

SHA512
50f1de5c037a4f4ee462f05554927c61d13cc8d5b664d24f095c7a5fbd2183d7a99ab725ce7117b53797e26df8b4d298565644f6b9dc67b82080ddac461ba18f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
74d62a89c630c3b7d5a5b20cecd3c7de

SHA1
d716fb15afef7fa18c42dcd77a05762c4cdeabb2

SHA256
1b50af73acfb766a447dcbac5c830cd25a1e61b8af2cfe4bcde3939eed4659c3

SHA512
6984e3ae7b18798d095884c8ca3fc76cd6954934736ebee30566cab60312ba9d16887277eff53f54e9440876c6422b9eae47d51f8d0ba8866820ebf8539e40f4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
07694ce390e3e94443cc8d79ff6aaeb7

SHA1
b04580bfb86138a91dbb0322720dfa82b3b48aa0

SHA256
eeb2e238ce3ca43d1b15fd82afbce1803d5168e81b297a736087521710e1bba1

SHA512
13f24c45d47afc21a8506bef186ef9160bd0de43b2a375451bfc35132d9e8e4a88afa77a434ffbaadbc9a92dd43a2ef9c86f34195fb99197fc6d08465ea9b829

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
8902334b70252918f103eae9d49e4e06

SHA1
6bc60719fd1d6b62596e0fd68a3625ffb790e190

SHA256
590ca00af229d1d6b65413297977169b4a5e9c4b00cfe6c459cc76e9672b0d2c

SHA512
9819ba0fb916504c935607b5853467b9737e53b5c641dd235736a66b2e293f6c0fe4933d7422e3cace979df84f14ec555a706c54d87f24a8ef5a2a86501726f8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000
Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
87b884ed17656f52ed4b44a0961b96bd

SHA1
ab940fa9d0a4e966b990cd5780b5e682d2e1a1e9

SHA256
ce0eb87b2c311e309ad43c104ec9ab0508e0363cdac5ec3b43e728fe3b52fc48

SHA512
dee5a10937df3e2dc0b79460687ae13268ece3e8ba068be2d60939abd40d4569e76634c09827b04e87bab6dbe58f3abe9f2c4ea0ad3e488c2f08fa812368c967

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
300ba94a1be0e6634f5a42f50fd1ad57

SHA1
68625c5398948accd96e2246ad5dd47b5b1ede7d

SHA256
d21475d330b7f6dbb3d22b2d4ead05a35f31f712a88b21d9d4c3a35d9a983c03

SHA512
9e1d0c5d65431e3061b9a89dd195536063fb2fcac69e115603a8f198fdc3cadf219e571419d1ca44cc4a4f38aa145505f380fdd39c025858204d6980f0bfe272

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
6e6e87bb3715015c9c0a577a56d197ac

SHA1
fa69e258df8a12191e15eee3e04caef997d05f97

SHA256
b9527db3082cd92f55e1ed0af2341cc83df13337a694b02d35afb079ad627f5f

SHA512
bdf4f6e005f247b3a62a5ecc1825971719afd526e31f23eb3541b6b93f97f03c02912dc4ebc97682240fb8ca13a665499beff5fa878412cc24735072373f4554

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
e1b49090369815e97c8ea2f7f22313ca

SHA1
6d33b8bd84d00d147a227f98928d61b1298794ab

SHA256
c3bb617f989b7e7a3120dbf4f3a68be14d52455ad01e36dda4242c574f15280d

SHA512
9f917f7bf0036995801dab0512559ccda0dae5a05bb515aef6b3103569b4b5cf51b4ae193ffea300583c0ba9144137ffc7375fe34151ab98e50f1591296fdeed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
7b571efc668ffa6b569e2bdf63a905f0

SHA1
112c0b3cfaa774cb95a085085c302be1e5ebb68c

SHA256
d54c505b48f1661d1261a7fd05b24c441bbb821c2263cf4077cd225735d1e08a

SHA512
db75a8d4693014fabdd7954cbaee12f25fb026c0eda45a80b007440f41e63fd1a143557bd2abfbd76a22de5f8f3fa7bfed5e98c7294d1c14fe3dd379d5e2352f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
91725de4e0b4b5205ac3a86bced377d3

SHA1
d5e76bf03fc6981136aa2061e3668d3da5f4cf20

SHA256
d5c63873845e8e439c0edf2b25fb77833fbc034553c0053d064bdefaec376b14

SHA512
709df34f1df505dc9c2b8b9f0deac27d01bcd913cbf0e25be222e043148f665ec19d3afe0ffe0869b30a42ab2b76231e2e9fc2806260bd59f0ed6a9f68a6d1af

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
e903beaa92b35cf3d6a6bfff09b9b297

SHA1
4db1b1252fce978bf871d4866d7b7c674f5700f0

SHA256
71a65721c8e67487393a7100ef191bb98ba56ec76ecf6ecc16d4bb27c9c1ed9d

SHA512
da1d5580208668c60453252826d64f0ec2a038386b4fc79eea45e7519cf4c26fdb3e43c54e76522b49924514c70705dee9ad40469951fc70664e29d03cd43806

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
86927771a124c8e4ced22ee758cbc4e9

SHA1
66717a292c0b5ddefdff285c8bb21933b6bd3f1d

SHA256
af61e2950bf406a0347a2d81064d2c228315fcdf682441d8dff40ffc71a18ff6

SHA512
13e64979dbde6cd3e9d171ab6e6a031f782cc17c1ccd295cbf42feb4c55addb0ebe2254c5217d1ddfd95ecfc8011bd5c214ed421c249ed79dd123fdcf89bd364

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
8a30648eb605d18b05abf29471604374

SHA1
37714b5c6e2746fb91452d6d9299a269d19a3204

SHA256
2f869ab401aedbba695e836bf6db338d2dc1d222c043166eee5f708eb87f1033

SHA512
b15583e56b187f29a677c6816f29d37ca8d4c4b0c4275037f12df6f25bfb75f45545d23e6e4cee8e5b0e9975e3e4e39f88f307fe8bee61797abb12d18e658f46

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
d6bf0886ab7a1d5f5c9d34a1de702f64

SHA1
63529cac7f9b931a80ee1448735d64e61809f22b

SHA256
9e4d19357f4ba71801dd2a335fca5e7e167b82dfc94155850544a526f864c717

SHA512
144200da7f3006b4879b67fb65351b75ce5a5fc973ef46df976e8fd12cd1c807b35c99ffe5b8bd05f6a0af7fd546643f74d4f6857766ef2ac60574a9f632b063

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
7db51e4161a81584f133c5b7af7e2cb3

SHA1
e9f08d9b5a593d7fdc5c19be7f86525ad8ac691f

SHA256
9490f16a8454b1773bdd7ae80796eb011334a0d026b0a066cfb5d36e5309b02a

SHA512
33fc2671a72c3d670964f8f10e4fd6e02d4463177d441d036dfd486e964c78dfa0362418ad860ecbeba2a8a798e8dcec09a3d82cd1cf85bdbacb3f10166f99e6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
8f96ecb42be798edc7de62fa3a8793c9

SHA1
ac6f6cefcdb4c32b530545c91afc5891fe1a34cc

SHA256
882cfdea7b4d190905a42130f3878fc55dc98c20939f2c94805ac23cc1083893

SHA512
a91b5b82a10f28036d28cf17e4eb6848ba4814bfbfa83e79fdbe7bd7081f90546916635fa5b8edd5638d67cca29805e08682d82db0bfb3b4b060070d6a575a34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4eb0c0bae45bc88981894ea26c5b2db0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
e744be19867cc41a6fe9c035f0be2ebf

SHA1
e2f998e0c0cfd13739e6f3d5b36781eb2f2f2525

SHA256
b8604f6233902a62562129b045d93cb9c7d3a874aa39b65b27746e1cdde19794

SHA512
796053f5893cda60a572ed3d0bd98927f2c3d325063d9f4285b3ce2c4f5a9453b3502e22edbe599ef3e31174725347158520806b752c8e258083b18abc57df29

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6431cc588d5bb94b56ec81a21b12cbdb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
11b59d25c0bccba0f6a919496c5a8c9c

SHA1
585f680ae3fae99d7b695b00e8aa5f1f69cb7cc3

SHA256
3ef4eecbd4e8f7acdbe0a93a117bf07901b88badc158ffc03a35ac513a942975

SHA512
b31c54178c19d7e2b24ef6c9eff163890c6a2a699e645e8bdbc9de8a1dbfc0a6ec60888eef3289cd1878404775372899ff0d0b5549555488052429376cab6912

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e944439522110a60c9b23b9356d8ba09\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
59798e714523a9ec8961393290eb9438

SHA1
249d31eb008ed329cf1b544f977508b2bccabfd1

SHA256
97ea083e132f9c8b37606191bd0a2fac68a5d24d64a3fa0f1a050c4c55651b24

SHA512
7dc156b7ad0830c60192465e3d124d93034a56842263ea537c2ca1cff436e7654a21d509d1fd4ef127bb9fc92e81271e2fcf6607325fa8c1ef4b834c422695a0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
305f13501780b9c55a374f92183815a4

SHA1
385631888579d4eab9ecb46c1a0caf6dbb151de8

SHA256
77166f3fd581294fcec8841af4fa01014044328df5df6bd787923ae085b714bc

SHA512
d8b49ce564f512f8c62b87c29d18010ad2dfc316d319e33aadd8446cd60e5be3b30f43908b0f66ac52c9f208c31b52e50825ea762df45c84add7aeda6071bf20

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
e0dd553598a2861192902f840a67f052

SHA1
a4150654c88f1a53168f132b4a7aa30efd44ce1a

SHA256
d5117280774870f8587a8644d5e82138b05cd79055e59b197b89fd3b317ee4c4

SHA512
cf104ac16b2d1e036e099dedddc84af9364557b7a0f011c85e9f9c44c904091e2a2366a247105ab0e45a534b2d39d1b0cb35519fb0ef7a9e656d54d1269b2ebb

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
67e2d58be871d4b8f5dcaf8fa7babd81

SHA1
b449651bb7e1788c1e89b6b9f597a3088d1ec936

SHA256
06fe899deb4e0ec8d17c537cf44c5383cff6252ff7ac1a204ba088f3c3bc0eff

SHA512
b1a9f7b3db0a27f6b91c97ed57a848c486c333a6c3db17553a3255c6dd03dfc3c001052f1d9446c4dd9b72eee4af96860b6bffa68e6d6b135c892e30a752f855

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
3a4553e5e5cd7821a1c44fa5bc7871ea

SHA1
6dd6fe095f85da60a5ef187c5c1d5cd25615419c

SHA256
8f75ea6c8b9014526aab5a1de756e68fd4b0faf2a48c546bef409151d9f4787b

SHA512
7e9ec7dddd601fe335caef2aa1473b01c1912ad289461cbd4b34f706b0ed3a98d9872bc62b44dcc259f54e274f8104fa6bf238cf22c505e622f87ed8c0b1024b

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
09c053358e5bd5d3abf0e11b476885d8

SHA1
1a8dd1f17151d0504ab89a8f712805bbbcd5c259

SHA256
bdca6efd08ac229952b06227422754b5f6edef7d0818f533b77bb67622473bcb

SHA512
78186a1ade7251088c43c73a9aeb6d05b1ddf6c3031d0efde50cb48c80d0fa4d77c8d9fa926147a907af4f36a95b53ec99173c3bc373a3baab9c91d7fc419312

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
166bec7dd98c9ffdd2153d801c9cd765

SHA1
bb72809b643c84cf48e081bb8137f4415b0ac2eb

SHA256
fdc83f20fdbdc2d33e33c4c751a1a81564123fe41c4ef10d39ab32559a3e2e49

SHA512
0c64d07884a13e877b6dceb0ca6b3d2f510750284f4037497e1e64fb0a6a02ad464a2cccdd58228e5505c8ea2ff957498f45d5c7c598f4e1739e1a9f74cab50b

Download Submit
\Windows\System32\dllhost.exe
Filesize
577KB

MD5
3c44b91bda7e98c791fbf2f5f94ee3a6

SHA1
956639b4958db129c885ded91469b68e12e38c91

SHA256
5838724ce9acd9a7b17dcff8dd6653bc54fb0ac09581644e98597aec6f7143cc

SHA512
2725f51c9e2f43566c11f8236a14dbba2cdbebf8bb0a21b9debc4a914a2b870604d2091bad3c075f0e764790cb107dee7b89b175899dab40878963fb5fa555a5

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
14834690082d5517c46f45037048bc52

SHA1
8dc166f67bc5fb5fe634d409c48e07c74497a551

SHA256
d83881499c4b5ba09d66da4d5301bdb11038595a332159eb07ab7053a844eb21

SHA512
dd585c782fa40d389084463f3d2244567eeb59b15d941b0d140d6481ef15756d8fe4bcab9fa97984d54ef9f23219a8a0057b086a09756fafd7cb0189e7eb2b9a

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
1d6ecabdc963e177bde02311eb1cf38a

SHA1
949b192faf92d275bbd0d9859fae3d4d36d1f1f2

SHA256
9e28b79634ed2502d272b1010c2114b2af3ae49cc578c45f00462e6666953f04

SHA512
bbb7c7e7bbf54959abcf79a502cd969e756c6a736073e233dc87bd29fe444d77bbfa3b8f89dfeb47002d058330bc5fbc03b4f03549ecbe8243295556c529c9f3

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
69e6d060dc30c4c6e5df0c982cf56dc3

SHA1
3936ad516d4c42c873a5ab78b67be516764fd9a6

SHA256
03b2d1ea307d56e7b8f3ce7782aa248885d73b741dacdb784abdd193a542c676

SHA512
d8aa5c61f685db9321b52c00a3ed29148f98f818b2e48d1222221f496ba27b65aed13b75ad7f08d20a1768a25a76f023da7656e96d72e8b27dd20ed690b1dd9d

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
e15786bf29dea590abf58323efbbe829

SHA1
04a036026ee3e6f1a659f86ab9f221aae09903c7

SHA256
268dba4fd6bbbabee3ac56f24deaf126f68e2f9ad3c3524e84625d91f10aee9f

SHA512
229f1535f4a5bd9784daee7d6faa7a5ae4156eef2e1f983aee7ad6c01e0473bf97ecd06c347382ee5e00a5a4cc8ff7034d4f395afbad329dca35bd6293fce95b

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
e24bf77a2d078ba22f776090eb64d689

SHA1
8c6b02ec3b4a7f296af918dbab0341deec0689cf

SHA256
d02efa9ee9376d77ec9d5be8c7793e3dd4e46ee5b97592207599374fb1acaf88

SHA512
b73aa8913e62acc6aa7838f47848fd3054d09f7156d5365229578e07770f29367db96ab2f37f5a6cc538056a841f83f154d0e94b2f252ee2b2631c16a4831eed

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
7a26f0fc7d484f1114be84fe50b5d90a

SHA1
91f792efff7c77173c7669af4e862a0877579335

SHA256
df44823e8987d4c5b4745f192f7cedc2807c4e9100e857582a7e2ba9b5667b50

SHA512
6936d5bb162b333158033b2acee900e88ed405bc88946b2da264f4ff00cf38152ffc6d003e7d23be5e54fd53d7cafc9c6227aa4ca63bb13b54c3e3c8abefe5a8

Download Submit
memory/268-183-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/268-184-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/268-751-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/268-352-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/540-774-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/540-805-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/596-505-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/596-357-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/692-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/692-353-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/804-157-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/804-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/804-331-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/804-151-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/896-839-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1064-684-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1064-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-415-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-434-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1068-350-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1128-355-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1128-429-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1156-768-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1156-745-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1348-322-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1348-388-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1348-324-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/1348-392-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/1396-382-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1396-314-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1504-405-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1504-337-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1648-389-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1648-694-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1688-864-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1688-849-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1736-384-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1736-682-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1792-720-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1792-406-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1836-622-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1836-375-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1900-710-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1900-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1928-149-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1928-98-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1928-103-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1928-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1964-612-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1964-369-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2004-368-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2004-208-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2052-179-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2052-347-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2052-180-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2052-175-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2052-170-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2052-168-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2184-393-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2184-707-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2268-872-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2324-830-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2324-853-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2340-130-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2340-129-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2340-135-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2340-323-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-616-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-504-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-664-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-416-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2372-735-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2376-195-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2376-85-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2376-93-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2376-71-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2496-734-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2496-719-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2504-785-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2504-763-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-624-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2540-118-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2540-112-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2540-111-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2540-145-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2568-748-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-736-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2608-683-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2608-697-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-373-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2640-285-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2660-306-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2660-311-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2792-723-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2792-708-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-875-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2888-281-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2888-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2888-158-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2888-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2888-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2892-658-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2892-380-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2912-430-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2912-494-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-810-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-802-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-806-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/3032-182-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3032-28-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download