e7e8230c65b736ff426d96a49c0cf869f4ecdea043b8cfeb27a136f300192e66

Analysis

max time kernel
45s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Size

5.3MB
MD5

74cdce28e58f609d0d37242f51e5650d
SHA1

23c46b87dbcd630d197180fd2ece5445490b141f
SHA256

e7e8230c65b736ff426d96a49c0cf869f4ecdea043b8cfeb27a136f300192e66
SHA512

cfdaa8ae306bfc034897199222a6c7692548a50cdeeea1df859d2dd143ff0eb8ee82d2cdfcf342e874d5d7848e887e99ecc44b4befebc65f1d7e3eeb11f4c502
SSDEEP

98304:ZLXClnwPWrDSVYg5MHKO6HCfyAo77wRGpj3:klnwPihg+ByAo/F9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 50 IoCs

Processes:

aspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
2476	aspnet_state.exe
2876	mscorsvw.exe
1392	mscorsvw.exe
1752	mscorsvw.exe
2000	mscorsvw.exe
2456	ehRecvr.exe
2324	ehsched.exe
2304	elevation_service.exe
1596	IEEtwCollector.exe
3044	GROOVE.EXE
1072	maintenanceservice.exe
1836	msdtc.exe
2920	msiexec.exe
2280	OSE.EXE
1636	OSPPSVC.EXE
1784	perfhost.exe
2616	locator.exe
3160	snmptrap.exe
3436	vds.exe
3556	vssvc.exe
3704	wbengine.exe
3888	WmiApSrv.exe
4040	wmpnetwk.exe
4056	mscorsvw.exe
3696	SearchIndexer.exe
3596	mscorsvw.exe
3380	mscorsvw.exe
3636	mscorsvw.exe
3680	mscorsvw.exe
4076	mscorsvw.exe
1072	mscorsvw.exe
3428	mscorsvw.exe
3588	mscorsvw.exe
3740	mscorsvw.exe
1468	mscorsvw.exe
3848	mscorsvw.exe
1092	mscorsvw.exe
3036	mscorsvw.exe
4080	mscorsvw.exe
3508	mscorsvw.exe
3528	mscorsvw.exe
4024	mscorsvw.exe
4064	mscorsvw.exe
3680	mscorsvw.exe
2904	mscorsvw.exe
3816	mscorsvw.exe
3364	mscorsvw.exe
3372	mscorsvw.exe
3368	mscorsvw.exe

Loads dropped DLL 13 IoCs

Processes:

msiexec.exe

pid process

480
480
480
480
480
480
2920 msiexec.exe
480
480
480
480
480
756
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exeaspnet_state.exeGROOVE.EXEmsdtc.exeSearchProtocolHost.exe2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\16dc0a2b78a61a12.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

Drops file in Windows directory 27 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ehRec.exeSearchIndexer.exeSearchProtocolHost.exeOSPPSVC.EXEehRecvr.exewmpnetwk.exeGROOVE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000509a4aec8199da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{D98DF79B-8A15-4D69-AB3B-A6AEB81D9D87}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{D98DF79B-8A15-4D69-AB3B-A6AEB81D9D87}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d09a96e88199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

chrome.exeehRec.exe2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

pid	process
2656	chrome.exe
2656	chrome.exe
1568	ehRec.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exechrome.exemscorsvw.exemscorsvw.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Token: SeTakeOwnershipPrivilege	2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	1752	mscorsvw.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: 33	964	EhTray.exe
Token: SeIncBasePriorityPrivilege	964	EhTray.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeSecurityPrivilege	2920	msiexec.exe
Token: SeDebugPrivilege	1568	ehRec.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: 33	964	EhTray.exe
Token: SeIncBasePriorityPrivilege	964	EhTray.exe
Token: SeShutdownPrivilege	1752	mscorsvw.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeBackupPrivilege	3556	vssvc.exe
Token: SeRestorePrivilege	3556	vssvc.exe
Token: SeAuditPrivilege	3556	vssvc.exe
Token: SeBackupPrivilege	3704	wbengine.exe
Token: SeShutdownPrivilege	1752	mscorsvw.exe
Token: SeShutdownPrivilege	1752	mscorsvw.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeRestorePrivilege	3704	wbengine.exe
Token: SeSecurityPrivilege	3704	wbengine.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeManageVolumePrivilege	3696	SearchIndexer.exe
Token: 33	3696	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3696	SearchIndexer.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: 33	4040	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	4040	wmpnetwk.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeDebugPrivilege	2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Token: SeDebugPrivilege	2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Token: SeDebugPrivilege	2120	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

chrome.exeEhTray.exe

pid process

2656 chrome.exe
2656 chrome.exe
2656 chrome.exe
964 EhTray.exe
964 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

964 EhTray.exe
964 EhTray.exe

pid	process
964	EhTray.exe
964	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

SearchProtocolHost.exe

pid	process
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe
3144	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exechrome.exe

description	pid	process	target process
PID 2372 wrote to memory of 2120	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
PID 2372 wrote to memory of 2120	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
PID 2372 wrote to memory of 2120	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
PID 2372 wrote to memory of 2656	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	chrome.exe
PID 2372 wrote to memory of 2656	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	chrome.exe
PID 2372 wrote to memory of 2656	2372	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	chrome.exe
PID 2656 wrote to memory of 2548	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2548	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2548	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2736	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2768	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2768	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2768	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe
PID 2656 wrote to memory of 2860	2656	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.168 --initial-client-data=0x1a0,0x1a4,0x1a8,0x19c,0x1ac,0x140431148,0x140431158,0x140431168
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62f9758,0x7fef62f9768,0x7fef62f9778
3⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:2
3⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1496 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:1
3⤵
PID:1240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:1
3⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2816 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:2
3⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3028 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:1
3⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2956 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:1860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:2824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fba7688,0x13fba7698,0x13fba76a8
4⤵
PID:2044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
PID:556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fba7688,0x13fba7698,0x13fba76a8
5⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4024 --field-trial-handle=1316,i,14785157889351747673,7781938696309356096,131072 /prefetch:8
3⤵
PID:3924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:580

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 240 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 1e8 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1cc -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 254 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 234 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 264 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 26c -Pipe 234 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 238 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 238 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 238 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 294 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 2a4 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 2a0 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 260 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1e4 -NGENProcess 250 -Pipe 20c -Comment "NGen Worker Process"
2⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 244 -NGENProcess 294 -Pipe 234 -Comment "NGen Worker Process"
2⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 270 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1cc -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
2⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 240 -NGENProcess 1d0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
PID:3628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1e0 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 240 -Pipe 224 -Comment "NGen Worker Process"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1c4 -NGENProcess 1d0 -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1d0 -NGENProcess 1e0 -Pipe 21c -Comment "NGen Worker Process"
2⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 268 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
2⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 1c4 -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
PID:3468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2a0 -NGENProcess 1e0 -Pipe 258 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1e0 -NGENProcess 268 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 284 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 248 -NGENProcess 1c4 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 294 -NGENProcess 2ac -Pipe 240 -Comment "NGen Worker Process"
2⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 288 -NGENProcess 1c4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1c4 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 238 -NGENProcess 2a8 -Pipe 248 -Comment "NGen Worker Process"
2⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2a8 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 294 -NGENProcess 238 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 288 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 288 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2c8 -NGENProcess 238 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:3452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 238 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c8 -NGENProcess 238 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 238 -NGENProcess 1e4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 2c8 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c8 -NGENProcess 2e0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f0 -NGENProcess 2d0 -Pipe 238 -Comment "NGen Worker Process"
2⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2c8 -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 288 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 310 -NGENProcess 2c8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2e8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 310 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 308 -NGENProcess 2e8 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 31c -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 2e8 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 32c -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 334 -NGENProcess 328 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 33c -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 304 -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c8 -NGENProcess 340 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 340 -NGENProcess 334 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2e8 -NGENProcess 348 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 388 -NGENProcess 38c -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3b0 -NGENProcess 3a0 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 388 -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 398 -NGENProcess 39c -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a8 -NGENProcess 384 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 388 -NGENProcess 3c4 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3b4 -NGENProcess 384 -Pipe 208 -Comment "NGen Worker Process"
2⤵
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 384 -NGENProcess 38c -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3bc -NGENProcess 3c8 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3bc -NGENProcess 3d0 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 39c -NGENProcess 3c8 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 388 -NGENProcess 3dc -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:2484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3368

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2456

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1596

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3044

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2280

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:3224

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:3384

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
be3429c0d2d4ea1d48d9346472c65537

SHA1
6391b69b660434c7010eefee95bf2a032921fdf0

SHA256
e883374df0ee1a745642865e21d00ada2803d618747aba1a04cd9ea7a08ec49e

SHA512
5bcd39f943ae07ca1bef2106135f35661a16951a687efd73b5400175905bcc9d377b21c50ac89fbf627dfb7e98ad14361ee996251adc0bb5fb4e940ddb2fd41e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
a2b9f68a106ed8e6fc807469bd4a5375

SHA1
15d70bf14b0d05952bf9c0e7e5b02b3634496438

SHA256
20764a43737a2898ad2fe4ef4d7c9ed57cd31d961d9a7385682e275856165206

SHA512
7c83d2efc981a58597b9ce25821011d52796dcbbe80e6a5c6ac7d8ee45cde0a21a39ca5dc2c4fe12f9a0845e4cc9e03fbb7be42871974a74629cdec2d1c5dfb3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
3e60a3f658f6c9ade275eedfa4fa85d5

SHA1
6bcf54c0f4a9b8b1e08f4b769f8c1e6e229c18ce

SHA256
a660316987318c5fbf24bf5b65da4ecfca3c83b9e3ed4654c14867ddedc69d17

SHA512
376ae56bc683d870f456ce9f230c9ae7b7e97bda7ea8d7de02fe4db9018f277ab68387c5e76c176e30b2d27f5ab3a2cea241de652ae8300891ac29566d30a920

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
083ead00262a47b402b1204e110ab87e

SHA1
af73da3b92829f2c4affaa02aa233f0666283234

SHA256
7cc096166be6baefc07f58b00a5a24241cbc419eecc27de54039bc48a20d6c88

SHA512
074caf69fd843e4a7d673afd56923173601cdd7e3c486c0b70f6bc06aa7a0d917804529e1d01dae7b0bcc0defbc0bde48f8c5aaa01fc4227d7c9102ac138012c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
620f931e7679ce78964a165270797a9b

SHA1
87f4b35e8109255bc6e4b928ed2b6d553e6b81fc

SHA256
50792d5a96a9e7139789407557667ad857cdcd943328dbba7f266d311e254beb

SHA512
8cb5d810eb616724f3d3a1636308463c1e70e5735e23d043d278c46bc0ed09bda51366182fdc581d4249d64fde795495981f3956b14311e7d5a7f87725e07618

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240428153630.pma
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ed715d36c6e1a35718245d163b752006

SHA1
aacee5bf36ae2ed34b5a7b67070af133bf605a1a

SHA256
a428a6d7caa0b2da05d2a23609a8d0b304ed47abfd582c313ab216176079ae50

SHA512
42b5d8146f04aed3e270919381e98d3de6c505572bfc771f1febcd9c26df574bf800dfa08cf1b961798c938c818f6e2ebf494848a63a44a9735096c4a0169159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
878e98d7183b682a8dd267e4c4f2a7a5

SHA1
39dd3dfd5e68ab3f7a0280269e0a638206a0e053

SHA256
1279f1500ea7aebafc0759dd46b1ae0f856bbd151cad35913b8cc0079285bc3e

SHA512
7b01b15e2dcc49a0fc78e2e8be038683e179a0d551ed9d17d8b81d0a2ae7f6189d3c22d5bd68d659297709a7c9e9fe2778d9ea30bcec156d1d9f6229d4154ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
f0073b3f7bc4cef21c1fea320a5bcf35

SHA1
6c3b2d7337a849d98ab6c95fe6ca8cf7b15991d9

SHA256
58f754abf5358b0ec00993d446e7dddf0a167e7ca495747ec83edb1052d6f70f

SHA512
3cda32b94dea2ff6b1b4e0f6df416cdcb05559223569665af9f934aeac6c71bc4487a389fcd10015b5265b167f715fb3dcac4f81ecb516b476ca787204933fae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
316708b6ffd00d708f23e2fb812d50ff

SHA1
5a4da7a55b336401c8f1d238f850088a415c928c

SHA256
2bf32d69743afadbf1e1e1de7a67db397a5e8200852b57f398abfca1051cf2a2

SHA512
99d49bdbab790f2c7a716421b78267f049da5adacf3a3facc360cdd3c11f06dcb962ca6313e0e858cfb706f7b1ed01c1872bc1d0fae43953b4c8b275604d0651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
5KB

MD5
74e80b08e60d0a491f504ebcfb6a544f

SHA1
a980d283b8adef2c5154b99f57837fdb9dec602f

SHA256
2527bd9d23db9e87a5d40b23cfcd8cc5c19497c481053ead8fff6856679863ed

SHA512
36e594d606d75268c9313243d8d161d336a930d6ccc5fa4308525eaa82cb4496051d23bf0eebd44a48333951d8dd54453f63902e9212d45c329dad7a2f2052ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
180e21a7f620ff5112fdbda29f718e7d

SHA1
32935fefa2ccecb9fe699d3c3136a6f4163005ce

SHA256
d86c1b0e7a94198a9374709f4aa014fc541d2d4d9b03457d364068c17db2c082

SHA512
97b22d928252f9862dfd8f6365576f0d291148e0a7e639900b0007fc78c081f7591e1cec0083e873e482554b42874c7952e56ffeb16f663fcfd52e7926081147

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2656_952193560\098531cf-222f-4a86-8df0-484f05724a57.tmp
Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\16dc0a2b78a61a12.bin
Filesize
12KB

MD5
a147eb01b6673ad3d822a91cde141319

SHA1
ef21257324ed8ca8e33b4455046a328aaf0c8097

SHA256
cabb7f2295bbece02745b7d5b403be807367f9a69418c5a507791287a689a28b

SHA512
72a057017340b64e21ad1d0d857f431e90714c83cf24d9a4455203f0340cddc24f6a017915b32e5931c43b7a313819f43edaa41cdcfd1072b162b03b987b30b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.4MB

MD5
4cab825457e324041ef14a4c934f9750

SHA1
c67359a728d8ef086ff71254e3c5c66b982169f0

SHA256
ba73894e507930112e9ec6d02accd5af14a3a365a20b0f735977ad39d40f1dd6

SHA512
4ae2fb13120f741b3b24f4e76203d6eb4ed1403fcb849138aee124e11f29676d1dc28b7ee7795eeb59af2da8c730275427412d11763d4046c5d2bbc8f0b65889

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
a9954755e5e517da0f8994724b2d0f1e

SHA1
0784e6df2636e545b139cc87526ccec5a864a421

SHA256
f58e420f07cb9ca0e170dcb4fbc8f9594cd871b1d5a867a7aa945f16b7ea42f7

SHA512
2dd6e12aa7656598d503fecf2ec5462b8b8e98001a1400b745af8b5eae81bea3f9cbba097a576e201ae7269d40f88dc41578714930924ede0778ce77ccf7fcc5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.4MB

MD5
9cc3b00f2f94bd544c0b12eda945210b

SHA1
c9780aff0aaaddb4d9a0894748dc7ea7117ef3ea

SHA256
decb265fd74b9375165baa03744b78dd3a95d17484694fb19f5690383dcbfbda

SHA512
6c3433d761b57ef898dbe6e22f954fa904702ba151ad75b0b06d1b5edbee37e0106c9b24ffade4ddd18adb0208236b8220b3baeb212b0fa15d070e840226782b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
32923fa98fe7d0c379e96f85b0ebea89

SHA1
9833943fdd439b802e85912aeb7e0163976548e3

SHA256
02c237292e37bdf65bdb0bfbeeab30240758f38c8a309b5b7e19cbafe633e746

SHA512
e47d43a94f30c57cefe286439e611aa53c81bfd645c8d2bc0ac1bf0cf5fb5f1b1233ee3ccaca0763c189a4e9f3f80e65b03ba83e5de6260d4801db1fc0f06673

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
a51c27f6ef859a710274b6af74cd2978

SHA1
452b91b250db88cf7c5eb0e3cf5ff2eb378df2a7

SHA256
3a7d4d70291ade9af6d6430097e0f78259fefcc332957d72929fded97b3fbe8e

SHA512
06569a917984e5acdc8493308ef7a5c068587afbf1836e926e34d47e23abfa14c7ccc34bb1239c5f2b7ddf03e0706282fd68e42e895a861736565c717e61a5ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.4MB

MD5
ea48d1cae897e787d22e0e16e122d511

SHA1
566c3f4ef2727a7289077a26b47b19ec2e831dd8

SHA256
d82fa5dca52c1e4f63ed07b3633dc102d6c7340154eb8f9fe0bbe5499c0b764a

SHA512
05bf29d75e3029dd76133bfc4106ee1d0c1f5668960b303ac09b817a0154d179566b8ad2104d61b533df41d854e74a3a49302af86ab6a9f8f4095cad9807399a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
10df1968b3ebd904545e0e038a2cb271

SHA1
f88ba6edd87f029085e3b8462807622b971fcb8f

SHA256
076b3ac3a43d72c5537bca37b808e560c1887effe2d53b33bad180a6a76fe995

SHA512
f27acdbcbb46aabd09796ade9b768b69d3f4f5cf6d4cea94dad831085dd74c26a6c109c1d029cb13362b6a87ed2f6a9e504d3733cffb54dcd567e01a396fdaec

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
7b2f882dbb638cc2b1376c6ff005c12b

SHA1
c3ed46dc96f04e1071d549db91e3cf1ee567f4b7

SHA256
3e17eb4f08d9dbc53ea4d6ecfc6af6f069bcbd3120b357c7c01dd5804283b6a6

SHA512
e546232c5b67733386f563ef69aa8f7ee149d37f597a2e8697a4db21f2b808f518ba54c950af833671eafc98056915d2dbf22cbcaee9165753d65f3da2730af5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
25c3eb9a2809857bec20b4c0c9b31eca

SHA1
6ce59ed43453314cb4d221d1da95737c20a735e6

SHA256
d45e5462587c0fd712a6817d7f40b3158edad84bb1c1c74c56eee3852f817a70

SHA512
309835ae6724d62839ee5dc988c93833eb44b33ac3b7e004549ca72e35cc464a485dbae3773ef801aea904e65b30884ec05ca4d7e707701eb263d5e2b41b9b1d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
6f10ae86c4de32cafe6f06e35fe0c3ce

SHA1
fb73ba155f6327e75da54851bc1ef202a3f16abd

SHA256
63ea1fcd52d3e259216a5b7b1e0ab3b31538eadd44e54f8a09b9127db6407430

SHA512
2756587c88e13b7d69ed98419f94e2383bdb3a59ccb9e47128111b496a0004cfb16de053987cf8894f9a2384a56cb157fb610cbde7d823d52a069e8554ef534b

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
72e92ae82ab75a175a54ab85fcce6d3e

SHA1
08826302728e6b050a54412af281e8c28f8a765f

SHA256
a4708c71e2084d5dae2c4c130622a0b13d08ebe5f6eae637d2c7db34158f1092

SHA512
b9f8ec82f3bf664bc8895a87638ed43a3285296b4372cd4d0ba431e4ed94c018f60161928f4061e95e8491ab4e9f9a3578f270996cdaacb9db330c2bfced0b8c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
5491ee2b278853991badf9000361e60e

SHA1
553c2d9099fc9bfd2c936a71db7aa120c27c3b38

SHA256
9960a49444d004e9bd4aa30d814d89b3c4410e1d1087fe50feebac558be59d73

SHA512
eda0b359f2e489fcbbffc250eae17e7b9fe0a6e40445a512ffe404cea82728bc130739cb1faa2e0ec1c1bdb3f5c97e4eef9042d183eb67359f29e664ef6d5468

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.8MB

MD5
0fcca2f3f6183521fc2cec534160950e

SHA1
7a28e7745773fbe1310003b217873b59bb15d6d7

SHA256
a9dd672423ab4f57fb3c0d1e80a44d4b868d5b757c659262e7887f024611033d

SHA512
05b6deec69f878394590430994058e5ec0b063f4a84ff6cf249d7795e0baf77971335dc4b2c858394c0832e03ccbec2fbbfde63d2d21e20ae4e4096ddfb2f14c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
0d8826e95db840bb01d399690ae781aa

SHA1
94dfc68e3822551096a33e6b827591bcea1c58a1

SHA256
c3cb3078d3c8f666cc2fa8e772f24a22d77317ad39f458e459795593df8f357a

SHA512
98a16279256fd800a71dce4574fd346d86512f660ecf8da85b48fc3f83dbace89a435d6630408d064db225d2e853b8273350e77681790ff715707151f45ea549

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
8e57bee7d9964ec378facb472998af9c

SHA1
b6a4729c7e03bb8001de780d35e56397446f6a25

SHA256
452150b8d455f00832a6926bd5d6d85bfb91ae2f9f5b106db1de1aeaaf91573d

SHA512
a97233c24510a02c11a304e3cee9865511901ba6302ca4579db155f5fa9c5d4346834be3ca33c54ee0c1a86615966b6b74ccb70ea0663f7cc7a85e6497945b0a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4a2f77413c9104a487169b7a8b509580\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
9538522869bd6b9fa064e75b675aace0

SHA1
0f9e346f6a95607883339a3f6cd365e652a6909a

SHA256
6433e4bbdc72a86669253855cd1a16fad1d083eee5ce6e2161792d3ea23f538b

SHA512
4928ffcc59767ad15d20c8a714f091afb61b22a902f1f4b1f83b55bf519601dc96fa5525d267633b0524f65b6ac8553dc20a79326df2d8af5fa750c93e3f18c2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8458d7be3f71ae8071f4a290d90174d8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
536c0468510edd428c3fc4b3a64dabe1

SHA1
cdb24fca6a2e0c122df0484c758c76d62e8a9c0a

SHA256
227d9a6f11db170104a7bb60b7950bf1b7cc41676ff4df2a0f46af41b41e85c5

SHA512
9a4b75f0f13ed2abb1ef8641c45ecc26f3ba45b1edf07dcf607d95bc06b52d442b90fbee9d8f21bfc8ac3f179e23e8361b0550e90a03a27da4c4eda8fabb47b7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\884924c25961b62702f1d81da343dd33\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
15b07a48eb114eabaa1dd182163677cb

SHA1
e63dfe2ec2bc64b59ddfabcb63449a4bdd43b398

SHA256
b901b194909c163e0772af916851f6636bfa3378114a30fdfeded297765f61aa

SHA512
38618c56a87eafa3b3e89b214d623c981569f0d8647608bb8a32dcb2ac5c89308d6024336c7f41091265d5c52a51d02e7f31a77a38db6b8b1ac4e8c5be9532af

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d1a11ed37ad46bb9c768d236c9303fd6\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
d6145d4dd049d3142f0f41c723a32ae7

SHA1
459118b24fac2b4a70b23007deefbd696a609600

SHA256
c5a402f3cc519e94359db897a2be39c70e23dc0498a2b91dfbbc26b27a247e9f

SHA512
2f134b0146f772425e27b63ca4bfbdbf1cf40576c0c0e052a5f28278f1018cb9eeaa92f6e818116ebf6a4991fd769f19b8d2c998ffec033c7a349a2823b6ef97

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDBA0.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\??\pipe\crashpad_2656_HJDTZFLEPUTHLOZC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
fd5940c67d93942d92eef0d26b48c514

SHA1
ce0e8bc75285631e6b5062becc6c0284a65f919f

SHA256
1cde580004300a644341198cf889af826352dcd5e93c7de76a6e8f6830da8da9

SHA512
bfa1d7cd1a47de843b1c0468a3dd5d4f0e8f4923e735e132912bae7bfe686815cbe21664fa195c158a49609f0b5a9ba5c16a181b168b8ba7c1393a24e0d10d70

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.3MB

MD5
3fe4aeef8ee8a3062c45c4cbfcb8c2e0

SHA1
ed1292e6b85179a58b8d753ccbcae4689a0d5fbb

SHA256
6276dceb47e3eb4cf8e8a3192a420555d3c16f0514ebe403a45db44132947835

SHA512
36d8991744e2464b2fd26a71fe5e0229a169ecef7b82e289891a82ac4f614b4d58c124d101693f5be29d9ee8f6577d2df6df053a6a6a5909317e65cbc3817108

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.4MB

MD5
68efeca8ca99727644a5e19ff07aaaf5

SHA1
cf2e89071406f1ecbe3ac7b2b48bd990bc3f33e6

SHA256
763fc191fe7c43ab27e4614ac83dee74fab5db7f7845a17440e28e7bbe42585d

SHA512
eb8209906e4b81efec1d27788fbb422d979f024281b42577b7e5511556e526591a2db224276f91dcb422912a7397bb57f4a34bc66e599f0d4e648e3abe8cc13b

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.4MB

MD5
53fe2e3b30144795e3b433432d066077

SHA1
2af27550ba25b9662d3b90730e19097bb80ef991

SHA256
aeb3da291bec42cc07d47ed67f253d244f54cf8190295be3a20d3f79e1ac9461

SHA512
807d39797f1a791e8b28154c9ed20f70e6376cbe3f89b5258641df298b276659a3cbe982f2f5d2212904ed9d7604920f6bf52212abfd19c32504cefd75e7e12c

Download Submit
\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
3970ef50e7463cff03fbaf377be6fef6

SHA1
3c25d5989e8c144396ed7d9242ee9e318e7b5edf

SHA256
dc5f182dad3468843d4c80a8d17c691a8449c4d9c907881e85b9e11eb054bd2a

SHA512
17a7f63c478885164befdcce1c5840c09bbe61bc2d0b8cfce6c0f97ffde6b533cd0eb585ef391eb06e1813943ad947dc44ef64bad6a5d43c0578807fbe2370d9

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
7848df328a9aea373b7267a8e2223294

SHA1
758bcd51b1d784c164c55c70067c2aa680423d4f

SHA256
8dde8f02cf4a54b9cac8151c3f50fee4f8394cf12202dbc3a39f058173c7a7c5

SHA512
f030fd687818c355c927f142dfc8638d5b40ba710d6422c6765cbf862f2802c14f48857eb72dddfa926c12cca016da6c20b1012bfb0c0a7dbe77549378307ca8

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
e1d26f3620081eaff6617d5718172f36

SHA1
8564ee030659b7ba971b0e3425a4043a0ccdea3d

SHA256
66daac631e900658781e91378b86c7162b3616d636289890013148c87f7e208d

SHA512
cf71ca0384334c977ac69fba0ccf846db10aa994e56c9471fe56a144bef16668cf9807b262a4a716f92299ac46cf9d10bb42ef012314cd51fba9ff7cd6ca446b

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.4MB

MD5
ab0669ad9bdff5e3a9f4f4cde2e0b6ac

SHA1
34745b077d5c84a6d8aaf684fb8059e1548328d2

SHA256
a0680a21d32ce5c3f81089f296d42d1803dc2e85ae8d29c3a6f8ba68c7687e7d

SHA512
aabec81eb5e268e049cf258282c012418efdaf5b8d486ce94be6745fdefc39ae3e15b1e37315083da7b90249a37093d9ba0db45f558c402fcaa23595f922f7cd

Download Submit
memory/1072-244-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/1072-254-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/1392-118-0x0000000010000000-0x0000000010218000-memory.dmp

Filesize
2.1MB

Download
memory/1392-116-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1392-110-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1596-1065-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/1596-220-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/1596-324-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/1636-279-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1636-800-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1752-1148-0x00000000023F0000-0x000000000258E000-memory.dmp

Filesize
1.6MB

Download
memory/1752-125-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/1752-1151-0x0000000001320000-0x00000000013A8000-memory.dmp

Filesize
544KB

Download
memory/1752-1140-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/1752-1141-0x0000000000D30000-0x0000000000D4E000-memory.dmp

Filesize
120KB

Download
memory/1752-260-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/1752-1155-0x0000000001320000-0x0000000001386000-memory.dmp

Filesize
408KB

Download
memory/1752-1150-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1752-1152-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/1752-131-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/1752-1149-0x0000000001320000-0x000000000140C000-memory.dmp

Filesize
944KB

Download
memory/1752-1154-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/1752-1153-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/1752-1147-0x0000000001320000-0x00000000013C4000-memory.dmp

Filesize
656KB

Download
memory/1752-126-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/1752-1143-0x0000000001320000-0x00000000013AC000-memory.dmp

Filesize
560KB

Download
memory/1752-1142-0x0000000000D30000-0x0000000000D4A000-memory.dmp

Filesize
104KB

Download
memory/1784-284-0x0000000001000000-0x0000000001207000-memory.dmp

Filesize
2.0MB

Download
memory/1784-866-0x0000000001000000-0x0000000001207000-memory.dmp

Filesize
2.0MB

Download
memory/1836-250-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/2000-149-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2000-143-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2000-160-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/2120-21-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2120-17-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2120-11-0x0000000001CB0000-0x0000000001D10000-memory.dmp

Filesize
384KB

Download
memory/2120-207-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2280-468-0x000000002E000000-0x000000002E226000-memory.dmp

Filesize
2.1MB

Download
memory/2280-272-0x000000002E000000-0x000000002E226000-memory.dmp

Filesize
2.1MB

Download
memory/2304-308-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2304-208-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-1057-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2324-193-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2324-283-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2372-0-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2372-6-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2372-10-0x0000000002720000-0x0000000002C81000-memory.dmp

Filesize
5.4MB

Download
memory/2372-8-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2372-25-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2372-24-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2456-1083-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2456-176-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2456-168-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2456-278-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2476-35-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2476-222-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2476-37-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2476-43-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2476-45-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2616-942-0x0000000100000000-0x0000000100206000-memory.dmp

Filesize
2.0MB

Download
memory/2616-309-0x0000000100000000-0x0000000100206000-memory.dmp

Filesize
2.0MB

Download
memory/2876-73-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2876-65-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2876-135-0x0000000010000000-0x0000000010210000-memory.dmp

Filesize
2.1MB

Download
memory/2876-54-0x0000000010000000-0x0000000010210000-memory.dmp

Filesize
2.1MB

Download
memory/2920-259-0x0000000100000000-0x0000000100223000-memory.dmp

Filesize
2.1MB

Download
memory/2920-261-0x00000000005D0000-0x00000000007F3000-memory.dmp

Filesize
2.1MB

Download
memory/2920-406-0x0000000100000000-0x0000000100223000-memory.dmp

Filesize
2.1MB

Download
memory/2920-448-0x00000000005D0000-0x00000000007F3000-memory.dmp

Filesize
2.1MB

Download
memory/3044-345-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3044-223-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3160-1039-0x0000000100000000-0x0000000100207000-memory.dmp

Filesize
2.0MB

Download
memory/3160-325-0x0000000100000000-0x0000000100207000-memory.dmp

Filesize
2.0MB

Download
memory/3436-1054-0x0000000100000000-0x0000000100285000-memory.dmp

Filesize
2.5MB

Download
memory/3436-347-0x0000000100000000-0x0000000100285000-memory.dmp

Filesize
2.5MB

Download
memory/3556-379-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3556-1063-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/3704-414-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3704-1064-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3888-438-0x0000000100000000-0x0000000100235000-memory.dmp

Filesize
2.2MB

Download
memory/3888-1066-0x0000000100000000-0x0000000100235000-memory.dmp

Filesize
2.2MB

Download
memory/4040-464-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/4040-1067-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/4056-726-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/4056-469-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/4080-954-0x0000000003D60000-0x0000000003E1A000-memory.dmp

Filesize
744KB

Download