b485f1d60406e95aaed0f09c321eb31d3997ffa04245799d8c4e7c4ca5edab97

Analysis

max time kernel
133s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
Size

1.1MB
MD5

361f12ddd9ef3e403e771ed9860653c5
SHA1

afeeba77ff2b314ea2193b79e09f92486cf620da
SHA256

b485f1d60406e95aaed0f09c321eb31d3997ffa04245799d8c4e7c4ca5edab97
SHA512

9d1a6056c07e5293daf9673006150caab3da35e9aa4329c93a8106f5ed55a2a31fac544335a671f0604fc89287c808801aa51ab1433886b78a86a97e5be20bbf
SSDEEP

24576:LSi1SoCU5qJSr1eWPSCsP0MugC6eTZgPvod50p/TXM2s0espsODZjB0IP:rS7PLjeTZ0vo05s0eusONlP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEdllhost.exemaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEmscorsvw.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exemscorsvw.exemscorsvw.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2480	alg.exe
2752	aspnet_state.exe
2512	mscorsvw.exe
2828	mscorsvw.exe
2172	mscorsvw.exe
2360	mscorsvw.exe
2140	ehRecvr.exe
1756	ehsched.exe
2920	elevation_service.exe
1440	IEEtwCollector.exe
2760	GROOVE.EXE
1820	dllhost.exe
3024	maintenanceservice.exe
2996	msdtc.exe
2960	msiexec.exe
1520	OSE.EXE
2748	OSPPSVC.EXE
1660	mscorsvw.exe
1400	perfhost.exe
2656	locator.exe
1648	snmptrap.exe
2652	vds.exe
1600	vssvc.exe
1568	wbengine.exe
984	WmiApSrv.exe
1064	mscorsvw.exe
1988	mscorsvw.exe
2380	wmpnetwk.exe
1436	SearchIndexer.exe
1960	mscorsvw.exe
564	mscorsvw.exe
2376	mscorsvw.exe
2124	mscorsvw.exe
3028	mscorsvw.exe
1868	mscorsvw.exe
2852	mscorsvw.exe
2108	mscorsvw.exe
1556	mscorsvw.exe
2276	mscorsvw.exe
2060	mscorsvw.exe
324	mscorsvw.exe
840	mscorsvw.exe
1288	mscorsvw.exe
1988	mscorsvw.exe
1940	mscorsvw.exe
2436	mscorsvw.exe
2736	mscorsvw.exe
2352	mscorsvw.exe
2180	mscorsvw.exe
440	mscorsvw.exe
2212	mscorsvw.exe
2660	mscorsvw.exe
908	mscorsvw.exe
2180	mscorsvw.exe
2064	mscorsvw.exe
2492	mscorsvw.exe
1904	mscorsvw.exe
2704	mscorsvw.exe
1660	mscorsvw.exe
1812	mscorsvw.exe
1864	mscorsvw.exe
2432	mscorsvw.exe
2844	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
2960	msiexec.exe
468
468
468
468
468
768
2492	mscorsvw.exe
2492	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
680	mscorsvw.exe
680	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
2028	mscorsvw.exe
2028	mscorsvw.exe
1920	mscorsvw.exe
1920	mscorsvw.exe
1900	mscorsvw.exe
1900	mscorsvw.exe
1260	mscorsvw.exe
1260	mscorsvw.exe
1320	mscorsvw.exe
1320	mscorsvw.exe
636	mscorsvw.exe
636	mscorsvw.exe
2880	mscorsvw.exe
2880	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe
2472	mscorsvw.exe
2472	mscorsvw.exe
2068	mscorsvw.exe
2068	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

Processes:

aspnet_state.exeSearchProtocolHost.exe2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exemscorsvw.exeGROOVE.EXEmsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23f07defae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exe2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP705F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7B19.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP92DD.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{66F5BD30-713E-494E-836B-7F719322EFA6}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP80A5.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP63A3.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E35.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeehRec.exemscorsvw.exemscorsvw.exeOSPPSVC.EXEwmpnetwk.exeehRecvr.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D2535F51-6676-43B1-A38C-F65A999F887A}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

1896 ehRec.exe
2752 aspnet_state.exe
2752 aspnet_state.exe
2752 aspnet_state.exe
2752 aspnet_state.exe
2752 aspnet_state.exe

pid	process
1896	ehRec.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2460	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: 33	2056	EhTray.exe
Token: SeIncBasePriorityPrivilege	2056	EhTray.exe
Token: SeDebugPrivilege	1896	ehRec.exe
Token: SeTakeOwnershipPrivilege	2752	aspnet_state.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: 33	2056	EhTray.exe
Token: SeIncBasePriorityPrivilege	2056	EhTray.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: SeBackupPrivilege	1568	wbengine.exe
Token: SeRestorePrivilege	1568	wbengine.exe
Token: SeSecurityPrivilege	1568	wbengine.exe
Token: SeManageVolumePrivilege	1436	SearchIndexer.exe
Token: 33	1436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1436	SearchIndexer.exe
Token: 33	2380	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2380	wmpnetwk.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeDebugPrivilege	2752	aspnet_state.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeDebugPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2172	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2056 EhTray.exe
2056 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2056 EhTray.exe
2056 EhTray.exe

pid	process
2056	EhTray.exe
2056	EhTray.exe

pid	process
2056	EhTray.exe
2056	EhTray.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
2100	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
856	SearchProtocolHost.exe
2100	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2172 wrote to memory of 1660	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1660	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1660	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1660	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1064	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1064	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1064	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1064	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1988	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1988	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1988	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1988	2172	mscorsvw.exe	mscorsvw.exe
PID 1436 wrote to memory of 2100	1436	SearchIndexer.exe	SearchProtocolHost.exe
PID 1436 wrote to memory of 2100	1436	SearchIndexer.exe	SearchProtocolHost.exe
PID 1436 wrote to memory of 2100	1436	SearchIndexer.exe	SearchProtocolHost.exe
PID 1436 wrote to memory of 1888	1436	SearchIndexer.exe	SearchFilterHost.exe
PID 1436 wrote to memory of 1888	1436	SearchIndexer.exe	SearchFilterHost.exe
PID 1436 wrote to memory of 1888	1436	SearchIndexer.exe	SearchFilterHost.exe
PID 2172 wrote to memory of 1960	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1960	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1960	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1960	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 564	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 564	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 564	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 564	2172	mscorsvw.exe	mscorsvw.exe
PID 1436 wrote to memory of 856	1436	SearchIndexer.exe	SearchProtocolHost.exe
PID 1436 wrote to memory of 856	1436	SearchIndexer.exe	SearchProtocolHost.exe
PID 1436 wrote to memory of 856	1436	SearchIndexer.exe	SearchProtocolHost.exe
PID 2172 wrote to memory of 2376	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2376	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2376	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2376	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2124	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2124	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2124	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2124	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 3028	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 3028	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 3028	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 3028	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1868	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1868	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1868	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1868	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2852	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2852	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2852	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2852	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2108	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2108	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2108	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2108	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1556	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1556	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1556	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 1556	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2276	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2276	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2276	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2276	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2060	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2060	2172	mscorsvw.exe	mscorsvw.exe
PID 2172 wrote to memory of 2060	2172	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2512

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 1e8 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1e8 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 290 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 288 -NGENProcess 294 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 240 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 250 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 250 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d0 -NGENProcess 290 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2d4 -NGENProcess 2ac -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d8 -NGENProcess 27c -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e0 -NGENProcess 1d0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ac -NGENProcess 1d0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 1d0 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 1d0 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2fc -NGENProcess 2e0 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e0 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 32c -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 344 -NGENProcess 354 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 364 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 360 -NGENProcess 35c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 33c -NGENProcess 36c -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 36c -NGENProcess 368 -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 368 -NGENProcess 2c4 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 374 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 378 -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2c4 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2c4 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 2c4 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 2c4 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 374 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 378 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 2c4 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 374 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 378 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 2c4 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 374 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 378 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 2c4 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 374 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 378 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 2c4 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 374 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 378 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 378 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3e8 -NGENProcess 374 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 374 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e0 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 374 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3cc -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3cc -NGENProcess 3fc -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 374 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 374 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 418 -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3fc -NGENProcess 410 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 420 -NGENProcess 408 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 41c -NGENProcess 3fc -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 42c -NGENProcess 408 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 428 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3fc -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 408 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 428 -Pipe 424 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3fc -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 408 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 428 -Pipe 430 -Comment "NGen Worker Process"
2⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 3fc -Pipe 434 -Comment "NGen Worker Process"
2⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 408 -Pipe 438 -Comment "NGen Worker Process"
2⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 428 -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 3fc -Pipe 440 -Comment "NGen Worker Process"
2⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 408 -Pipe 444 -Comment "NGen Worker Process"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 428 -Pipe 448 -Comment "NGen Worker Process"
2⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 3fc -Pipe 44c -Comment "NGen Worker Process"
2⤵
PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1820

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:984

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 604
2⤵
- Modifies data under HKEY_USERS
PID:1888

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
f529f8b5b52470e88f6ab309d42bedbe

SHA1
c9e5ccd698bfd3537f0726bf684639ed62901aa9

SHA256
d77b9b896a658fe802c976ff9ece85728812cfa87d04b031e5d7d699dc2cbec6

SHA512
83f3ec130bfe3f048ff9c9d1c87d876aa61672165ade30b9898ad191c8d17b1685cd0df0ccb90a9f15eea7ab64ebcfada9b6e9ebbac1de2a424ba30cfe1091f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
d15bbb9b67986fa1522365c346e314dc

SHA1
0ff98320ff4334acbc8ee3cef5f089da5cef4537

SHA256
5cf8b3ae6725a32796f2c0add2fa0c52e147128eb55f56d7286a733579c40041

SHA512
6aec1f9b0fb70c48e95d0201f5221430a0e659054c530ad47581ab62b7ffe1b6aedf4f990d8122200a6857ce0d0cb54573369c42df6b7e4d901fb1765188dd86

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
f7aedd9fb27bb94911a2e1a6fb07b70c

SHA1
d1ef47eb9a1b580836c05d4404f9f00131ce1af4

SHA256
788b17b7bf770196f1416f61e638abb99e4f5fadcc4b105bc5c5c0d9230c3d7a

SHA512
cd812a7637fb4814f1da931bd854b2acaba4718a8a06f68821663e1bb3afcee7fb6d4ddd58b8860fca76f72c9b661c130492eb23c7f842798483db2dc6b80619

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
9bab120a3f47efc204c3c81fb0302590

SHA1
970be8a5751ece4cb8ee39225e52235387dec872

SHA256
dbe974b9a583c239484a81cc5b3f17b02e7d74c31097e7ab2cb60a87a742fd08

SHA512
fe67eff40ff5079fa228338211e494edf57b62a4c68b9c449a1e28e8194e6d41451c152d2543bb27ca9b4c7d8f85b9512b412cb1bb4b7afe85aa22042d94e226

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
72012b762932654feaea0bb46c64cd99

SHA1
8632fdcb89497f5a12f8cc97d551bb3db7e34457

SHA256
341431b1f3b4bf11d8c7ad09fb286a9776977e0e6f5ff762e912c8c0489a12e8

SHA512
c14716528fdd5da0c71e672b5b2cde6d59579f910a2e6c41f373c4112350b0987984d8a1d5469ef320297df4a792a860de181a9706b6a2de317cb068fecee4c7

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
7a2534a10d34f20c290d81c42a3b80f8

SHA1
5dfc3aa5addbfbeb988a0dfd2065f6d3838b7c59

SHA256
5d291c8cfd831213919c2b7a83908b06450d574cebd31aa25e9505ead85123ae

SHA512
161c834ee8d08749085579dfe7a9bef34ba218022befe9ec81e8d87d7faf354dd035f8754d925bbb30f7a22087dc8f69d3b631e03969ed33f8d1d81bfe4292b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
a8ddb3d54db12fe86ada59587b813b0d

SHA1
9f550238090413b5652c7cf9b40984c661d2e049

SHA256
ab1002f8918a5d3ffeededc03fde871c68b68cae091e8952f20cbdcbb733594b

SHA512
b6a3b57d140aebea9f552bc8782915cab8d3251aa2bae32f165a638ab59517077c22009668a5f8a4d7ab244dc2217f14bd1375af1dd7a40f00a24c662da151f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
e396ab802b7ee574cbd93670e7a513b0

SHA1
5a5d89756eab345d96b5cc779ecf64de048f42c5

SHA256
0f17abf61c426d83c3ae80cf857942e8e3930bf351d3665b2af0efcc4419803d

SHA512
3a327c04e010802ea95a447253cb9f393ec5b05363c4396065c38e3ae767a4289c88961e885c8e23495b7e86a9b2136004b3a5d3d76481a2725f7a0f5651be2d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
ca877db45816ed8354320093ee857f7f

SHA1
ff2aab87b6b481d3a0c38d5304fab79b4bc73335

SHA256
778ec4b906cee068832eb9aa123319b2076ceb81f0fd6110879cc68a0279019f

SHA512
4f30ed673cc8e53979c890b7e31e6a9b4873d8a6f1178dbaf45acefebccf1460332bdf83502bba781c9073fd66c1008744e0d37905ce9f6a257e0962664324e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
36acbd5833da066fab88a302c563ce17

SHA1
05996a541c5d39f0073f4ef079b0d8ba31c9e07f

SHA256
63693670ebedf395efbb5b26ac1e84dace109d9595b6cf54a8cf23f5d1942ec6

SHA512
cefec1b2b3ea5507a83c035d51268b2aeb3931231630823b49c51608e0d5c1b5efba4cf29e67b5360741181125a515394eb1dc2669c9b9d6148bd0b258f5c632

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
e50a47ff34cc5d3aef306a67c0402fad

SHA1
1d89352a88275a4ec92f4591e9bff3bdd22cab24

SHA256
5f4659818562c2e722f5ec03eec2c6361dc24c42d1d8b59534ae75d6601187e7

SHA512
60dfef2441ae03ee5bba0175ed7dec229ae172cedbc3b7bafe46096c1b0d0bf6c6093c85f2053cdb198538818337723aad1ff1876287b21e9af59bd20a9d3368

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
f2aab290a3d61d823bef5d892154cd56

SHA1
f790a8f8bf1705d1f4199d9bba5d53012f69045a

SHA256
4a5618e2121eab5a6cd010c183669449ba345aea4cf910d446d6ef922b020c3a

SHA512
4c59e30c1516031578dd232a412d2e19c1afd1b6edf7fe7690d6d2293f3e86e37741fd53320292f5a44bcf3229ed41aad7b4f0458515aaca4f3ac2cdc594c1c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
d7c61adf941992b44631980be911242a

SHA1
87f3819ee6b81a66c26f683895f8047302444b50

SHA256
27401a5d91e142a653caa4932b935347a9cc12dd8ed71df88d70083af5f7346c

SHA512
b220443fe41a695fbc103fd75486c1726189426ed7b65f291851406431d6e50584adb0b08c48f55eabd2a80a1f1a09a1441485f75fe9e0c365689b8e8e9133cb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
6338bc888fc4c8cca408d4a420247f94

SHA1
2f2ac8fa1f97066f33154c8845a93c28ad547b2a

SHA256
4c6f9902e00df8fa7d81256cf376831e552481808bd6a304d2e64a07c236b07e

SHA512
051d34a5cafb335e39b5f08f481220f2895c98acac8744c5325af1429bf09856e9111ff7370dfccec05c8ef647fc460df5e06f26f952621e02596806b8ba1bd0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
12aa64a9117aa4f6a29f0297deb809c2

SHA1
62285ec7cf06532361a555f84cad40c12eb2ce90

SHA256
929c532dc7941dd7af716e6cf5430c84f51d993d3fd59b181fbeecc590001d7c

SHA512
d50e885d587c3b0f0f47a8ec5d38fec803c1749861a204e2b8db235658341ae2eb630e50b822ebd1f42f40de4f05160c51d2688d62ed3b09bafee767d9a822b7

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
1.3MB

MD5
ffd8858e355b00396896c04e2bccd215

SHA1
6287a4fc7897df69b392c15890f13aff71b0d957

SHA256
48e2ebd928d4945a6d6bd345c6a8e5d4275afaee153053fe29d478f50a8a5115

SHA512
19baac0fbf2d07105dc1ece0c2f6a36fab7d2a90d3cc74b49ee6ad2752a56fd2b14a7a02de96a4eecb4d719b8230dbe35e3f79abeebac4c7dcd4ca063e95b80a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.7MB

MD5
1956b465b38032c88c95d185ee719ba4

SHA1
7017a2b8f180d1e2ada9802ea625b50f0c71e6fa

SHA256
4cbd6f262269dc18ff68672e419f007e362799c0adc433e809eefcf19286050d

SHA512
b5447e0d4c6a30b1bbe23b503ae62c2d54043e20830a01118e27c55f68cceee3ac5039120c33641c8171612597b61030462cc91b8357beb5a9bee949e2438cf4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\821fdb8ddf007b8b7e36815ed04aba54\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
7daea1cd10183bc06490e8a924c0ee07

SHA1
374bbab7f4148e09fbacd9c20200895d54a76311

SHA256
e3e2119de3b598c9fa5125cd846c04edadcb6de759e4f619b83e8033d00628fd

SHA512
b6fad75474b9fc0d2560c3095651a9d75f79d7da0e4e43e72cdbc4053b8e518efe81d46a82f9f5ed963a433e2014fe0bfec3efa5615167207c6bb2ebe23d0f02

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac4686737159b3e6174b50b93ad87263\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
1d3f195019d9a40f44a69df77a0e135f

SHA1
826ffa08b656d783cbcd7517ddf55cbf25c57d5f

SHA256
e1f3e41e83f0de7ece13be223aba878efb5c95c65b2767ba3644618d8efa28f7

SHA512
11c5002fe5231d49df3238e1705bb029be293ac725444aecaca37bd703b0e27296ecb9cfb742f51fd4097f9ecd3a64186c1d6f4c11781d6f8c565699c5060d14

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f8ea4d5bd9d0cc01e82f44f3065173d0\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
ce4cc37a655f86c57d01e973b1129e4a

SHA1
e8493a3706fe104df08c664ee4cdde3bf854cc46

SHA256
6a5fe673a44bc384d885c812bf1e7837525912bb707839a206503967a901b89b

SHA512
fda87552f639ef25b60262e0fe83808e8c1fbf1ca0a4e3e17317b40a8ab4c8caee6d1c228ae6be76d297cb6b3f6a7ba5fb92aa611db74dc4d99582b5bbe2a7df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A8F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E35.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll
Filesize
143KB

MD5
7acb812f331570959dbb781e516e10b2

SHA1
ce58e115d10297051c1aff42a78f1261820c7f73

SHA256
ac7421383c0e9e0ae8c99e2bae4af34d55d34d66df6cc1710ccde4438c3f9fa3

SHA512
e76fcf2773d41bc2ba5b32c4ddfacb9b1610837fbad3f0e68c4a3a8fcb1bf64fa149c1eb191399a7b11339d8b23779f7d4bf60fadead6322e0e814ad602e03fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
b774d10500b9b22e8745c3eaac353699

SHA1
47a05d2df1a47f1e45850d6c915cccb8ce555695

SHA256
cec5c85d3babcaa41956db8da042fca4a3d60251d6ac3605176a17e9b0b6e57c

SHA512
8367735518cdae07fc83f0a120779fe967445ce61d106d58373ba0338ef776a1b50f428a73bf215b4f3fc43147db4eb42446807215f10ff5db3de75c1c38b45f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
b736256333032e39d38ee1039b156f07

SHA1
a000728fd5352344fcc46b461c70f4734d4dbb14

SHA256
7ead2d47881a1a0bd3ec462ef8a414cf7a4e3c00686807ebf10e18dd7c5076e8

SHA512
fad962a925ef445e22d7e58f74077fea1d447569938e97e0ed40243317d0944ba3dbfb50c07a830081ace2b59ffc26ecf642a261531b7367630000a455d5c31b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.3MB

MD5
b6bbb934b1cd2acbaba2727739b575f1

SHA1
0f1e242dbf4ee224e937aaf4e94bce914f0f5f35

SHA256
54041233a101fd9edea9b7f9f9e9a500bf0b7810cc557f39b97a73a0645ffef3

SHA512
e30d1b526a2ad76c5f31ba735e1d4a0e3988d4c6f1bc5176906520619fad182d7d3a0ba468aa6bc298d0861049d24594b11fae92adff58fbffd36f58c9c20337

Download Submit
\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
9f3f12fe666caf7da676818e40e5cb27

SHA1
c0d551514a4555edb3ac82e4d26de0437735d92f

SHA256
5959c67772c24a88130327b1d934be17738c6b78ccff72de46937b20e8315e3a

SHA512
78bdb44275dbc82a0e7f6d66d979f7672364e6bea5d85c79c6cef042791da01e84edf487e52eb7fbb5378f6316e4dc681ff232d74fa5affb602cbd06be42d634

Download Submit
\Windows\System32\alg.exe
Filesize
1.3MB

MD5
0c336a69678c88247187977400f87603

SHA1
dd1bd631323bd09af3e2f982ad4947fd4f61c21d

SHA256
b6326bbf1cb76e66b65d76d2273d646c7c9030ec0cd63152f0d48668456dfbee

SHA512
a98816106baa64f4791f09544fa82acd33d7c51825399308c8ce64c2b55073f5e515e2bb0e789befd02d8ffab5449abc4f77ea762c8b4e11750ab63f51ac15d6

Download Submit
\Windows\System32\dllhost.exe
Filesize
1.2MB

MD5
a888a000089a4280bfaf82b6beef5c41

SHA1
dffb8f5e2dcbcf6d410d3adc0352da342cdd3ebb

SHA256
0f4526e54b5af32f4a8e55c77e1f168ff3e83d30cf6f79ff519b78c37ba25f3a

SHA512
892b37e8e2688b9dfce279461bfcecd21152879e6b44b212b6d30abb61dbad3a140970632b74bc3bca175952accce80839b68157a037d0dfa972b8b2b8926639

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
4f4a56ff304cb24068fc10ad928cedee

SHA1
e22a84712bd7ee56458beebcf6bd6e2127be47da

SHA256
5453dc8e453800fc5ec38a0dee5898fcef0873c26bb5c6a5434991ebf745701b

SHA512
a6db1bd516d550ce1ef6d5dda460016328c3f62330ec3a5b11cfd4d935d652c999468dfc5d2af17cf73806df8a572a341cd8730e1cb6bd8c7e0d1baf26533c55

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.3MB

MD5
e311a237399c5cd6665f8e287d224e4d

SHA1
23e7b64b3b256dbf773dfd7ff69e4c400f36bdb9

SHA256
292e2bed7abde185109819eea21c53a327672c1e22e877dac2ab491065cc1481

SHA512
91911e0206a7d625c41b01876624ae16ae0644f19db7faa4c2311f797789a855e7a67356cf52aba11f530f6c7ae230641d1c52f55a3494b4bceabd212931f2b3

Download Submit
\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
f676b56e9f42d80e3abf207aa6c71583

SHA1
2d52ec4fae566b4edc35d41c5a8296248117a6fc

SHA256
d0446c11d6b728e798043f37a6cae154f97948e44fd05f95cff22da732d973db

SHA512
60869ac39986b2bc252e89110c5a077d40f5f874f586788fce8bb680b351c171a05704264d1ea7cdfa3617cb4ce057a035365fe500a356638bb7118970c8cce1

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
d0d6fa7a2763949b9a13b1330c8d08f3

SHA1
60aa435813b6a945f28f801276325444ee65e6dc

SHA256
c18a2224daa817d781287a96fc799bd9abe678a7c9727732a202b8bc46aff627

SHA512
6f4a0caa3f714f2083421230fc61036b3f0d64c8c720a3292c0c1731dd8521c0824439f2f3bf46b853cacdc15b5a938cb1864e2e2d0ab43b51820bedec87ed55

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
6b9a033b20ffd9f375e7dd71a6734f64

SHA1
a04fb9b723e951d8516e5cb41d587124beb5ea6f

SHA256
8f2eb8c2bc369de3aca725b108dac0a7a03294553c662f717739ded782b5238b

SHA512
86d1e32d59d741d12be79b9a823846a8c3c57aeee44cebf47bc4466bd946d246018afa1c02cfe6687e1b60b70495d715c3882d37dc16ac78f73e3c056317d77a

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
0e5e6570f927c07224d7c76d74b7a341

SHA1
4ba5941bceb7bbb0ee573a372c55262a93b2f439

SHA256
ff1bd58c69e902a0864ed781a916fcd227b78223a3179c1d84a65adc07966069

SHA512
39a9db8ece49b99de62d7c3383023b3efa3d55abf078c14aed647e1749931a199dd87ccc225d55534908825e90965665c9ddefda4f274835b8d42e41c10d0266

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
c4eee0b8905f515ec6ce3f302d2b6f6d

SHA1
baae487775ced16c478281fddd15892b6a170f99

SHA256
acf7f4ca08695254a2f4a7c128affd9ad7843f5cdd5bd68519a660d3a9e166cb

SHA512
ddf508cd6a4d54b2ce60600c4b853319a5193c61c68b2c8eeb7956223b8edd465c37264b5bdff32cc8298fcfdb810c94008a39cac2264c5a34833b2148f146fd

Download Submit
memory/324-665-0x0000000003D30000-0x0000000003DEA000-memory.dmp

Filesize
744KB

Download
memory/564-529-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/564-504-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/984-283-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/984-769-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/1064-297-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1064-310-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1400-249-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1400-494-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1436-340-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1436-829-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1440-794-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1440-248-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1440-143-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1520-212-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1520-321-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/1568-651-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1568-270-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1600-265-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1600-525-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1648-266-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/1660-287-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1660-238-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1756-125-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1756-782-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1756-117-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1756-225-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1820-169-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1820-267-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/1960-493-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1960-483-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1988-308-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1988-723-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2124-570-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2124-541-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2140-115-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2140-211-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2140-110-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2140-859-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2140-116-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2140-103-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2140-105-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2172-928-0x0000000001DA0000-0x0000000001E06000-memory.dmp

Filesize
408KB

Download
memory/2172-927-0x0000000001DA0000-0x0000000001DCA000-memory.dmp

Filesize
168KB

Download
memory/2172-926-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2172-925-0x0000000001DA0000-0x0000000001DC4000-memory.dmp

Filesize
144KB

Download
memory/2172-72-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2172-924-0x0000000001DA0000-0x0000000001E28000-memory.dmp

Filesize
544KB

Download
memory/2172-923-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2172-922-0x0000000001DA0000-0x0000000001E8C000-memory.dmp

Filesize
944KB

Download
memory/2172-195-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2172-921-0x0000000002020000-0x00000000021BE000-memory.dmp

Filesize
1.6MB

Download
memory/2172-920-0x0000000001DA0000-0x0000000001E44000-memory.dmp

Filesize
656KB

Download
memory/2172-919-0x0000000001DA0000-0x0000000001E2C000-memory.dmp

Filesize
560KB

Download
memory/2172-918-0x0000000000CE0000-0x0000000000CFA000-memory.dmp

Filesize
104KB

Download
memory/2172-917-0x0000000000CE0000-0x0000000000CFE000-memory.dmp

Filesize
120KB

Download
memory/2172-916-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2172-67-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2172-66-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2360-88-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2360-82-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2360-90-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2360-198-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2376-543-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2376-526-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2380-828-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2380-323-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2460-1-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2460-102-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2460-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2460-156-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2460-157-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2460-9-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2480-14-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2480-137-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2512-39-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/2512-32-0x00000000004E0000-0x0000000000546000-memory.dmp

Filesize
408KB

Download
memory/2512-64-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2512-31-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2652-264-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2652-524-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2656-263-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2748-226-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2748-338-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2752-142-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2752-19-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/2752-18-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2752-27-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/2760-257-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2760-158-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2828-48-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2828-49-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2828-94-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2828-55-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2920-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2920-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2960-196-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2960-307-0x00000000005A0000-0x00000000007A9000-memory.dmp

Filesize
2.0MB

Download
memory/2960-294-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/2960-199-0x00000000005A0000-0x00000000007A9000-memory.dmp

Filesize
2.0MB

Download
memory/2996-186-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2996-282-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/3024-190-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3024-181-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download