31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
Size

648KB
MD5

39765ea8ef86b000ab2c029dd8a5c355
SHA1

da654157e43e7f39ca30559272d6588973383ed0
SHA256

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674
SHA512

bab015272126e727063005982af8f41832a70a085a1c093a46b34d4d3d4dbdbafb9425d4d4acc642fa3135e4948337b9f2b3b3b04e441d75bac2333e6ae72227
SSDEEP

12288:qqz2DWUV+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:Dz2DWWUOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
3052	alg.exe
2692	aspnet_state.exe
2672	mscorsvw.exe
2656	mscorsvw.exe
2784	mscorsvw.exe
2004	mscorsvw.exe
1452	ehRecvr.exe
2112	ehsched.exe
264	elevation_service.exe
1696	IEEtwCollector.exe
1152	GROOVE.EXE
2364	maintenanceservice.exe
2436	msdtc.exe
816	msiexec.exe
1084	OSE.EXE
2836	OSPPSVC.EXE
608	perfhost.exe
760	locator.exe
1648	snmptrap.exe
1652	vds.exe
272	vssvc.exe
1168	wbengine.exe
2192	dllhost.exe
2488	mscorsvw.exe
2780	mscorsvw.exe
2484	mscorsvw.exe
2416	mscorsvw.exe
2860	mscorsvw.exe
1764	mscorsvw.exe
2340	mscorsvw.exe
2196	mscorsvw.exe
2336	mscorsvw.exe
2212	mscorsvw.exe
1036	mscorsvw.exe
2780	mscorsvw.exe
1896	mscorsvw.exe
1860	mscorsvw.exe
2540	mscorsvw.exe
2372	mscorsvw.exe
904	mscorsvw.exe
1512	mscorsvw.exe
1616	mscorsvw.exe
2640	mscorsvw.exe
1620	mscorsvw.exe
448	mscorsvw.exe
2140	mscorsvw.exe
2336	mscorsvw.exe
1036	mscorsvw.exe
684	WmiApSrv.exe
2336	wmpnetwk.exe
2260	SearchIndexer.exe
1988	mscorsvw.exe
2780	mscorsvw.exe
1860	mscorsvw.exe
2824	mscorsvw.exe
1408	mscorsvw.exe
2820	mscorsvw.exe
2708	mscorsvw.exe
2976	mscorsvw.exe
2140	mscorsvw.exe
2032	mscorsvw.exe
1696	mscorsvw.exe
1380	mscorsvw.exe

Loads dropped DLL 57 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
476
476
476
476
476
476
816	msiexec.exe
476
476
476
476
476
476
752
1408	mscorsvw.exe
1408	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
3056	mscorsvw.exe
3056	mscorsvw.exe
568	mscorsvw.exe
568	mscorsvw.exe
3012	mscorsvw.exe
3012	mscorsvw.exe
1136	mscorsvw.exe
1136	mscorsvw.exe
1340	mscorsvw.exe
1340	mscorsvw.exe
3064	mscorsvw.exe
3064	mscorsvw.exe
1988	mscorsvw.exe
1988	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
1896	mscorsvw.exe
1896	mscorsvw.exe
284	mscorsvw.exe
284	mscorsvw.exe
284	mscorsvw.exe
284	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
820	mscorsvw.exe
820	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exemscorsvw.exemsdtc.exeaspnet_state.exealg.exeSearchProtocolHost.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\System32\msdtc.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\msiexec.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\vssvc.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\wbengine.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1487a39bc1bd2e0a.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exemscorsvw.exeaspnet_state.exe31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exeaspnet_state.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP692F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5EC19990-749A-41FE-AB93-939064D8497B}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA525.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6816.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6D73.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7511.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7427.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP70EC.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E0F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exemscorsvw.exeehRec.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchFilterHost.exemscorsvw.exeSearchIndexer.exewmpnetwk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

1136 ehRec.exe
2692 aspnet_state.exe
2692 aspnet_state.exe
2692 aspnet_state.exe
2692 aspnet_state.exe
2692 aspnet_state.exe

pid	process
1136	ehRec.exe
2692	aspnet_state.exe
2692	aspnet_state.exe
2692	aspnet_state.exe
2692	aspnet_state.exe
2692	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exealg.exeaspnet_state.exewmpnetwk.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2236	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: 33	1980	EhTray.exe
Token: SeIncBasePriorityPrivilege	1980	EhTray.exe
Token: SeDebugPrivilege	1136	ehRec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeSecurityPrivilege	816	msiexec.exe
Token: 33	1980	EhTray.exe
Token: SeIncBasePriorityPrivilege	1980	EhTray.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeBackupPrivilege	272	vssvc.exe
Token: SeRestorePrivilege	272	vssvc.exe
Token: SeAuditPrivilege	272	vssvc.exe
Token: SeBackupPrivilege	1168	wbengine.exe
Token: SeRestorePrivilege	1168	wbengine.exe
Token: SeSecurityPrivilege	1168	wbengine.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeDebugPrivilege	3052	alg.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2692	aspnet_state.exe
Token: SeDebugPrivilege	2692	aspnet_state.exe
Token: 33	2336	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2336	wmpnetwk.exe
Token: SeManageVolumePrivilege	2260	SearchIndexer.exe
Token: 33	2260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2260	SearchIndexer.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe
Token: SeShutdownPrivilege	2784	mscorsvw.exe
Token: SeShutdownPrivilege	2004	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1980 EhTray.exe
1980 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1980 EhTray.exe
1980 EhTray.exe

pid	process
1980	EhTray.exe
1980	EhTray.exe

pid	process
1980	EhTray.exe
1980	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

SearchProtocolHost.exe

pid	process
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe
2460	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 2004 wrote to memory of 2488	2004	mscorsvw.exe	mscorsvw.exe
PID 2004 wrote to memory of 2488	2004	mscorsvw.exe	mscorsvw.exe
PID 2004 wrote to memory of 2488	2004	mscorsvw.exe	mscorsvw.exe
PID 2004 wrote to memory of 2780	2004	mscorsvw.exe	mscorsvw.exe
PID 2004 wrote to memory of 2780	2004	mscorsvw.exe	mscorsvw.exe
PID 2004 wrote to memory of 2780	2004	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2484	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2484	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2484	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2484	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2416	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2416	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2416	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2416	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1764	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1764	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1764	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1764	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2340	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2340	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2340	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2340	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2196	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2196	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2196	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2196	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2336	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2336	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2336	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2336	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2212	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2212	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2212	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2212	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1036	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1036	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1036	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1036	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2780	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2780	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2780	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2780	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1896	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1896	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1896	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1896	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 1860	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2540	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2540	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2540	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2540	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2372	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2372	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2372	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 2372	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 904	2784	mscorsvw.exe	mscorsvw.exe
PID 2784 wrote to memory of 904	2784	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
"C:\Users\Admin\AppData\Local\Temp\31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 244 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 1e0 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e0 -NGENProcess 1d4 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 244 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 25c -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 288 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 1e0 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a8 -NGENProcess 1e0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 238 -NGENProcess 240 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 218 -NGENProcess 200 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 248 -NGENProcess 1b8 -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 1c0 -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 200 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1b8 -Pipe 214 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 200 -NGENProcess 1b8 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 260 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 264 -Pipe 1b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 274 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 27c -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 274 -NGENProcess 290 -Pipe 218 -Comment "NGen Worker Process"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 204 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
2⤵
PID:1076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1c0 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 298 -NGENProcess 2a0 -Pipe 204 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 1c0 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 284 -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 1c0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 284 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 1c0 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1c0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2d4 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 284 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:2308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2b4 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 27c -NGENProcess 2e0 -Pipe 1c0 -Comment "NGen Worker Process"
2⤵
PID:3056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2ec -NGENProcess 2cc -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:1852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 290 -NGENProcess 284 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 27c -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d8 -NGENProcess 2f0 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 304 -NGENProcess 2d4 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 284 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2d4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 284 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2d4 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 284 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2d4 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 284 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 338 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 310 -NGENProcess 2f0 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:1908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 33c -NGENProcess 330 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 338 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:1860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 338 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f0 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:3056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 338 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f0 -Pipe 344 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 2f0 -NGENProcess 354 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 364 -NGENProcess 338 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 368 -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 358 -NGENProcess 360 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 374 -NGENProcess 2f0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:1352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 2f0 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 2f0 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 364 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 360 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:1156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 2f0 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 364 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 360 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 360 -NGENProcess 394 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 38c -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3ac -NGENProcess 39c -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 394 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:1156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3a4 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 394 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 39c -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:1748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:1880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3c0 -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b4 -NGENProcess 394 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 364 -NGENProcess 394 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3cc -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3e4 -NGENProcess 3c8 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3012

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:264

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1084

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2192

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:684

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
- Modifies data under HKEY_USERS
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
acf11e54438d4ffa921cc710d24c61e5

SHA1
7f8cabc28a9533f23d06c778ec1181f0ba06b293

SHA256
549d84dea2eb4e0b3c9265ea5399a7ba6e82057040603b2a6038eccb30c21c8e

SHA512
2aeca7bd95b1f4fb87901324a6336cb70e88be00699f409553f15f6c13e24d536612b1254bc763d9aba3446eb8463b1bc0c45d41da5c89410042ebe80241bd87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
8867b9e74878430e8c25c531dbce25cb

SHA1
0160765a96a37ae6abee3a5bcf25195555f6d8c4

SHA256
7c01a03c52befc2560b7d4f0ec6a5331b4b8e1c6cdc1c164982eb8a5d9c19ce2

SHA512
46e41456167e1c672bb88cbbe8ee14edac9a9f61b2b5c64a694392c45bf0d19dc6f6cb9b949aff42daae5d4ebc43ec6bfc92aeaaee429f1cddd8e10c940419b1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
f127019f1c3cec9deddf7053d33a912d

SHA1
046f1f14d9f81a158a775340c97172743e42ab3d

SHA256
7d7ade2d7b9a7f5aad490fb3ff21e1e2cd2b2d3a8710412eb5c6b22eb9c53c5d

SHA512
4221b151cbe040cbf6a4e879ea59e6b4db2cf6697dc48a40b682a459a737fb8b95e0ea66796b5e28860e6f39f7656cca46d86fec1919f1b7c0a3cf2e991b22e4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
ac8d70889db703dfb80a521e48361bd6

SHA1
721691c86634935a8e8d6b32a8b3fa6c6cf9baa4

SHA256
2fa06ef2b854e567e498751773a2db2ab358124809346e1d119556091dd7b2fc

SHA512
4749e57fc54ef52d3dda6e5ad8218ca809f20f518ef38ce10a0ac978c2ccbc63964c6f104a5044be9e32d118184f85733784504d622e49d6782bbf87c762ed71

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
d33b63d60899359be5c800ea9a214f3c

SHA1
1c46429fee01f7a20b0c42ada49ac657e426dd8d

SHA256
b723c2fd5587d66f8434ad09d042d88e604054a271b105f0e050bd1314130be1

SHA512
582a06e8c9ba69e54a5901ed1b0d740b4e1c99f7cbe43579add7c91031395d605c9a237840cd7507bed3809cba271dc7346190930ee4394a31d61ad89d608e70

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e7f8217c603bfef3dac6c52ce5f0e0b6

SHA1
0098786af56fcd5cb825f50904c8b9e557dd7d17

SHA256
62bad3f3509cb7790f8af73fa74a331f93f10a3243e2fa5412bc446fe48229f3

SHA512
a0d0df51486f79f6531d221fb947d668f3b51e660ad62318e097fc7e0a842ee011ea84eadea5ddea446504ef9d70117e3664dca2fc7cdfb5d977d73003f1f40c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
1c0f097513a297d991901999e887e7bd

SHA1
f68ade381b512c622edbcc80fa3f72f53dbaa8d6

SHA256
e121b31c1c64531b89013a2c71d286714a3260e07dd892244abf1fece93d3ae8

SHA512
220b6670f13781e3cc5e3e14533f888cca03ec8a1272fa7eab069653fa4016bbfd9867f8f525e81b2a56132698aabf6e3c874bc4bc883ce683930fb18b4f9436

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
9e1aa1c3c83bf771b7aec694d153d26f

SHA1
f318b62fb7a1bcbc6d2ed512ce73d97645ca80fd

SHA256
db3d080c9f4c229e34f52546b640908aa4e3e7becd6ff0f548ee797fef175a09

SHA512
6e3558eef0b18c116c68b539ece11c7ad1450679d27678e427e998a6dd8d456d85776abf1cf6973e742c2f13f011c261ba49e6511e90c25eb027b63b7c3955c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
8174e69fc015b8304f6ad23bdc67b5e3

SHA1
235c5c90118f5e17e7c4fdddaa0978cd0fe4c09a

SHA256
0d40d555457e9914c9deceb1a2014c2247d8712efa12811d67974a7585816a0f

SHA512
89d7e6d2859138f1918c3b725c6d8e55139f41b2caa6c3871b5938bd903da9795dca3fcb27d4ddac852ed40fbabb8a9bb51f4d5933bcd8a6d6566a228089912e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
dbc97a66ccb84c30e11d7c5d7067da56

SHA1
66f5165e727d773ab2aa73e5dd30dcb85fb10cd7

SHA256
57d2fbe2355e2905a999e189c1137f5c8f24bc801c37fe4dac08fda84d18b49e

SHA512
d131e3cc5e4c681c8364167558bd489d6781532c486e9cb219402bdb3a3479730e9c631a407ed0e88f9b8555631679309393cce22db8455d32bb51a3f120ca2e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
f868052129478bc986bfff932118e5f3

SHA1
a54b20a8de668528fa1f53110da0fcd2248670c4

SHA256
ce4a5442502b406bafa172cdff41e5c240ebab16e956f3848b64d84ddb84cd89

SHA512
5725637904b8b743b60d4997b467c25e5f818e346673d45084bf9c46276345cec1258c694d13feefca43dc5ff786c080d04eb6f0920f6da2aa50668bfaf14cf4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
e28c79736d768aa3a2ccc408fdf68b2a

SHA1
f8e190b3c70918a5431027021588fcb16019f6ca

SHA256
5fcd1f982256c1f24b18174b211f87c705e80e4dfc6d79ed1e4ea6311205da8b

SHA512
84be8e2aaf7aee34c24bcb36ecf5f892b4b3f1e76dd1b3ae38cd73775bb8cb53b63ef6fcf303f0388b7b32b1e9d0e72f9a70b11357905ac9724a4ac4081dbba0

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
f793aaf27a6d646572a61cf59b12bb97

SHA1
002a10f1cceaef67cb64684eb3af9f2a5ef79e97

SHA256
4126ac7584afd941bda86ba63bfecdfacd34c650f3cabc8b07065091773e5cf7

SHA512
2b909418639a54cedd9a1a0833b138a79b08c07883390ca905e507744e9d02604e729233c00ab15916471cf97cbbcb37061e4f6ae03863dc333f2f565e4d0d88

Download Submit
C:\Windows\System32\Locator.exe
Filesize
577KB

MD5
f685d3a9c5815822747ee7905cf1ece1

SHA1
c282eda183e0db24f7948f1cf7fa794bc4632bac

SHA256
aae7482cfa095506fcdab6102c77caf8d67306b7253b9b390bd9e4fb0a1d824e

SHA512
f8546f8550b48dce2fcb15f7de8a28dd18b17d23c78383f38cc27f190fcf8dd0506ea330c20623964fdf00ad47469590f034a85d1a5270a4c2e712da06982572

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
d92e2abaa2c8ff62dcf1460356d4705f

SHA1
2050c42fb8ea1b2540b71b97d50d358b23f44496

SHA256
a40dc573758b4322cd5f0df3261369734a414c89400f25f1926652be8c5181e1

SHA512
998c960a71aee0bfe8565f9f66c05ce0d4b69111268f66f651dbd25efdc93801ef122b20cfabcb54b2d0665f19770da202b9a39e521522e8748129c6243e1cdd

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
577KB

MD5
d8c113ca59df55cb486d1efecdc648a5

SHA1
2a9ccccc894d804684fd318435aaf6399ce70b96

SHA256
8c469fb15b0ced0d91438797fd8e66527a681ae83d1e0eca5a9f558bdabf5621

SHA512
3e465b3d1088d3c7cde19b2af7338b01040ead694e2234eb5b84e054760f6a599e1b74d23d20334914205d80823c24b43adb65bea4c98361f685a0c62dfbae69

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
0d4a8245d1f755d8f07e5f93066d11bd

SHA1
5307542c475bba95c7f33166bba8285a2d0dc66b

SHA256
782ee1ea63a1327605f320e1c9bd00bd60320126868010c763b7808e2b43fab0

SHA512
c0064d6eec1ebf5b90e7aeae6b87ec9c632ce2e128e768895dd8b6cfb83a37c2d20aa3b3ad425e53733fc05cbc713ef433876054c5066462475bf6352546f128

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
657319bebbd87d18018bfcf72283d106

SHA1
e0ddcf354973efd495823cfd387bb7397c2a88c1

SHA256
24a2457250d96d737c8a713dec5434161e23993c3329c9ee520a2f4fb9955d7a

SHA512
4186935e65640b0740fe0c837355714927638babdf32ddab160d404f301fbb784f8d5d314807b1e7dedf4369494d6709d9c0f1710a93156b6b2a8e64be24ba0b

Download Submit
C:\Windows\Temp\CabE7C0.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarF20.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6074cc8eb342d2f398270f27dd19489a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
058eefa53ae42e118c99ad9d6201884a

SHA1
1d5944d8dcc249c07eb2e5a361308000b298e5e4

SHA256
b4dd5c4701dddb40165e93db451d586cc2dbd7cf52cc7133115ea363643c0da0

SHA512
cc9794c9cf2b2de350bf5b8e0a4fd99b43ecc7d7a49d05466e99bee62dea3e0fbcb8dabc1136f156cd82f1bd3da281ae3bbade12d1c5663f5b4e73c6939551f6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\69d197fe63e9942d63bd04413501c469\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
91a7009d299640c9cc98250a3e7c5322

SHA1
3ad26440e658210417fdd6c09e805c5f94d89d5e

SHA256
1d374d6adbc1c73192d7caf69d361e20adb8a29362b56493234cf0678ae1a933

SHA512
e5dab2d87b0799c1cfd5a6723c67e87b4618d82f9831c60bfbd2dbdd239462e23f5380972410db8cb390a3add160951c1c18681f7c580a1b76211e1445cb55ae

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a1020ab694f69dc7df48ebe0ec587739\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
54c5a07d53ee31843054449d54579789

SHA1
6e19860c132d61589306474a98fe1a79ff05be51

SHA256
bd81ea89bbaf5059733cefeab5b3c97c046cf41f8bf877df4007d97a73359967

SHA512
a99de3e2e0d6ec4d5b560a7015c902923c0e8d8fc44f0dde10bd8a6f82e1a4fcf8dc67518deeb3aac4517d91e98e5966eb2577fa823dd9a9ef91cdb2a5a0f981

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fac73b9533830421f1a3116d51185d39\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
7ae24236db8ba05c2fc9da0fed9ed020

SHA1
da59694f9045dae5010c0fb28f46a7ace775864e

SHA256
788b4acd0d08b82a446d1ba294e992ea6e546c8cc2c631d2b54e9b8f1ce2fd0b

SHA512
c0806df866e7d61d4ba4820ce03e851950d5ddf849f547936cb0a13fb889f66909f15882368c1771791e05ff44547c1ef1789defe79c35a2f5dc924b325d5bb2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
158edabd1a96f6e97b8e13b4a8edbe40

SHA1
368fb3fe26171fa85c90093bc9dfa1a90ac76119

SHA256
c686e2b047d4860f7a124850b445d14030c8f74d40b9ad6568d69b0a8b1ccacb

SHA512
cdd6e2416e9576df388b14c9bdad3affdc3857cfb93cfac10033296472d01f6678c8a5dd6f500aaa5ec4aad3501b242174ab38107eec07b8d329613ad8212f71

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
81125a8905b62eceae0d29f93322e32d

SHA1
067711630b22d95c279853881681476a3026f104

SHA256
9fb9515be45e692c6388aa765249feabd73e8b1819bea07028665ad0beda7495

SHA512
8caa1aa20d0cbd7be7f6494498181f012f6b69c4d13868ec5dd9229b3325766a82435106ce5042eaec7aeb7031b87dba4254c0ba0aaa0d37fae30f969be8bc26

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
bebd569ad0bdb496ca8312f75097a492

SHA1
95a138d56e96afb1f240e29f204e934c3488746a

SHA256
0b113f84b0a9a95d238abc22a7231d1333612fac4626aeaa91212278339e8dab

SHA512
653931526985cd24a32d3a34db123d5f216b70f4b31c0c7b41e2d138894cdb2dcc4a5ad438e805991f915fcf8b238588b484e0ba28a8922f9651724e38fc589f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
451d0c78d8ca815c7ee8494662ec1fc2

SHA1
440fee086c82a9e20c5323731655bf58339c2985

SHA256
2f283115cf5d237dfd92252f70fc1dfbab9e8762451f242c4df30d260ad4e9a0

SHA512
1bc49491ef29e0bd2e017edb94575d5825f36bdbdb68e9e77e2c2e0d48a816c22e1068d73f14bf4a3eb5afe639ce2b67088b1f79f2af1cdf97e71c697374143c

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
3c85dd35466728cb6c4085b087f6541f

SHA1
a04fc5e74853ed5716c561b3c6355c440a0bd347

SHA256
c9401b1fd6d03eeeb50918398a1c2c684c267fd67beac2c4162fd0a27d15eed6

SHA512
ccba90fa10f2b974ee3350eb1e29a03447f83b14e5d14e2c7d98061eb7ac0ac8ab8c91f820fa7308b40eef7beae8b6203151a525f12995c05e21efc6cfa9398f

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
0a9bbf5fadeb3078ad306675f3184dd1

SHA1
921bc14ab22463504924fce3a24d5eb553bb3fd0

SHA256
b13bef6d8637a05ae78767c4045892a76fee4559347904c5e0dd7f8ba77267d8

SHA512
611292e52218ffc3b2f734471a56bf6b37e2dfe7bea4e5202b2643c7709f5abbb823cac54a51d7601cdeae25b794e20787126426780f5f430e6adbb4773a754e

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
b8f23cafa004675d5f48fd5df02db8a4

SHA1
7b2d82f8ae108f7ca09ae4b60d35dc908bf9ce90

SHA256
89e61fe0fd927d210869839f984ce3ebab857c1b80a7363b41c8906f6a7cc953

SHA512
8361df49f24bab8b85b5e2fdeb5d0b24924694f9f5cf5a5ae10b55d63e8c2ea7a92f62aef128425c1f861e07622a7b1cb5b2cac6461c54e5d38dc7b9688f2cf9

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
c285eb196be6b7cddd37c6eb027c92d7

SHA1
3c6879636b9e71c9a6e2075a63208fa41238656e

SHA256
05055cfeb71f702075bcb5091d5e96f3eb50a5e45f1c0825ff799131f064d9de

SHA512
522e56bd2d2af61cc09315a3409501f37f03d96cd1456e6631349ad65db13960b2e283177e5c52054ff33eba1a972bece328b2b7438e740872812f2af59d113f

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
a11d6caa926924ed42d676f0f3a26e57

SHA1
159c7a8bb68af9448f4239c13dfb958196fe6114

SHA256
931d17c9e6a4846178a86aa9b91020f99e2612033bb80aa2ce4e9f20c7a70801

SHA512
43a0b9e778a021cd7b8aa695ade88a819299bcd65b2bb48a60f15e77f958f121508969b81b71988fff73529a5cc5cec74706999813e4738ea82094ca7812db28

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
4fdaee6ae4d8fefc71eaa92daf444425

SHA1
a6b040db54d82ebb6e3dd52000e1514e70fba4b2

SHA256
8df6011935378cefaa1df723ce6a47d6bd82aaee85ee606e7dd97890530bb741

SHA512
c638aa4ed18b88a74aef12c7531603d468c8bf207fda4145a47258838b741989848b628a86a674d6c8dd2a5e9c6a647cf0dedbb532734d17e5e4655732a04990

Download Submit
memory/264-139-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/264-256-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/272-293-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/272-582-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/448-765-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/448-768-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/608-486-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/608-248-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/760-265-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/760-513-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/816-329-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/816-210-0x00000000002C0000-0x0000000000372000-memory.dmp

Filesize
712KB

Download
memory/816-200-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/816-359-0x00000000002C0000-0x0000000000372000-memory.dmp

Filesize
712KB

Download
memory/904-718-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/904-706-0x0000000003C10000-0x0000000003CCA000-memory.dmp

Filesize
744KB

Download
memory/1036-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1036-633-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1084-225-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1084-389-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1152-278-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1152-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1168-602-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1168-314-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1452-119-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1452-235-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1452-111-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1512-716-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1512-730-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-720-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-743-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-757-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-528-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1648-279-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1652-554-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1652-282-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1696-159-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1696-277-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1764-546-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1764-529-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1860-669-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1860-681-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1896-668-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2004-89-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2004-88-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2004-223-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2004-95-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2112-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2112-242-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2140-778-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2192-612-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2192-328-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2196-606-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-624-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2236-1-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2236-71-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2236-9-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2236-318-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2236-317-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2336-788-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-621-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2340-555-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2340-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-197-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2364-181-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2372-690-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-697-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2416-504-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2436-305-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2436-185-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2484-466-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-491-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-395-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2488-362-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2540-671-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2540-693-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-747-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-742-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-55-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2656-61-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2656-103-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2656-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2672-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2672-40-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2672-102-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2672-47-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2692-36-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2692-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2692-138-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2692-28-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2780-655-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2780-391-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2780-437-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2784-79-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2784-73-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2784-74-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2784-204-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2836-238-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2836-465-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2860-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3052-21-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3052-15-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3052-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3052-110-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download