07ff3495f2fc39b43f9e965145d4b2b1d398f6ad634df7e8e45a25ceaf547036

Analysis

max time kernel
141s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Size

1.8MB
MD5

f6293da60bad1f75c358fde5a02cbd29
SHA1

12f1f2eac1993f65228c5ccb567cb311695ec01a
SHA256

07ff3495f2fc39b43f9e965145d4b2b1d398f6ad634df7e8e45a25ceaf547036
SHA512

bde1b3b0b9fef290f75a95cb6cc5eb5f44c9b9e87f2dab2ac8d0d4e3e8cbe6edf18e0fac06424793c33a6a71393677034e24624ec37965b1da77cb5f48b281a5
SSDEEP

49152:TE19+ApwXk1QE1RzsEQPaxHNTgDUYmvFur31yAipQCtXxc0H:093wXmoKuU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2828	alg.exe
2628	aspnet_state.exe
2608	mscorsvw.exe
2856	mscorsvw.exe
756	mscorsvw.exe
1800	mscorsvw.exe
1148	dllhost.exe
936	ehRecvr.exe
1716	ehsched.exe
1152	elevation_service.exe
1200	IEEtwCollector.exe
2076	GROOVE.EXE
288	maintenanceservice.exe
2128	mscorsvw.exe
1720	msdtc.exe
2428	msiexec.exe
1248	mscorsvw.exe
908	OSE.EXE
2256	mscorsvw.exe
2212	OSPPSVC.EXE
1544	perfhost.exe
2100	mscorsvw.exe
2236	locator.exe
2464	mscorsvw.exe
2372	snmptrap.exe
2392	mscorsvw.exe
2336	vds.exe
2448	vssvc.exe
1264	wbengine.exe
912	mscorsvw.exe
2860	WmiApSrv.exe
892	mscorsvw.exe
1668	wmpnetwk.exe
2276	SearchIndexer.exe
1120	mscorsvw.exe
2172	mscorsvw.exe
2176	mscorsvw.exe
580	mscorsvw.exe
2956	mscorsvw.exe
1632	mscorsvw.exe
3000	mscorsvw.exe
2960	mscorsvw.exe
1604	mscorsvw.exe
2532	mscorsvw.exe
2844	mscorsvw.exe
2392	mscorsvw.exe
944	mscorsvw.exe
2592	mscorsvw.exe
2384	mscorsvw.exe
1604	mscorsvw.exe
1632	mscorsvw.exe
3028	mscorsvw.exe
1476	mscorsvw.exe
2396	mscorsvw.exe
772	mscorsvw.exe
2220	mscorsvw.exe
2324	mscorsvw.exe
1032	mscorsvw.exe
3028	mscorsvw.exe
1404	mscorsvw.exe
2396	mscorsvw.exe
772	mscorsvw.exe
3064	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2428	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
760	Process not Found
2220	mscorsvw.exe
2220	mscorsvw.exe
1032	mscorsvw.exe
1032	mscorsvw.exe
1404	mscorsvw.exe
1404	mscorsvw.exe
772	mscorsvw.exe
772	mscorsvw.exe
2228	mscorsvw.exe
2228	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1032	mscorsvw.exe
1032	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
2892	mscorsvw.exe
2892	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
3016	mscorsvw.exe
3016	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
2780	mscorsvw.exe
2780	mscorsvw.exe
3016	mscorsvw.exe
3016	mscorsvw.exe
1200	mscorsvw.exe
1200	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e64027bae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5ACD.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5486.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D6C.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52B2.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP561C.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0ccce4c7ba8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1956	ehRec.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: 33	2232	EhTray.exe
Token: SeIncBasePriorityPrivilege	2232	EhTray.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeDebugPrivilege	1956	ehRec.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: 33	2232	EhTray.exe
Token: SeIncBasePriorityPrivilege	2232	EhTray.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeSecurityPrivilege	2428	msiexec.exe
Token: SeBackupPrivilege	2448	vssvc.exe
Token: SeRestorePrivilege	2448	vssvc.exe
Token: SeAuditPrivilege	2448	vssvc.exe
Token: SeBackupPrivilege	1264	wbengine.exe
Token: SeRestorePrivilege	1264	wbengine.exe
Token: SeSecurityPrivilege	1264	wbengine.exe
Token: SeManageVolumePrivilege	2276	SearchIndexer.exe
Token: 33	1668	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1668	wmpnetwk.exe
Token: 33	2276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2276	SearchIndexer.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeDebugPrivilege	2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	2240	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeDebugPrivilege	2828	alg.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe
Token: SeShutdownPrivilege	1800	mscorsvw.exe
Token: SeShutdownPrivilege	756	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2232	EhTray.exe
2232	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2232	EhTray.exe
2232	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2068	SearchProtocolHost.exe
2068	SearchProtocolHost.exe
2068	SearchProtocolHost.exe
2068	SearchProtocolHost.exe
2068	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe
328	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2128	756	mscorsvw.exe	43
PID 756 wrote to memory of 2128	756	mscorsvw.exe	43
PID 756 wrote to memory of 2128	756	mscorsvw.exe	43
PID 756 wrote to memory of 2128	756	mscorsvw.exe	43
PID 756 wrote to memory of 1248	756	mscorsvw.exe	46
PID 756 wrote to memory of 1248	756	mscorsvw.exe	46
PID 756 wrote to memory of 1248	756	mscorsvw.exe	46
PID 756 wrote to memory of 1248	756	mscorsvw.exe	46
PID 756 wrote to memory of 2256	756	mscorsvw.exe	48
PID 756 wrote to memory of 2256	756	mscorsvw.exe	48
PID 756 wrote to memory of 2256	756	mscorsvw.exe	48
PID 756 wrote to memory of 2256	756	mscorsvw.exe	48
PID 756 wrote to memory of 2100	756	mscorsvw.exe	51
PID 756 wrote to memory of 2100	756	mscorsvw.exe	51
PID 756 wrote to memory of 2100	756	mscorsvw.exe	51
PID 756 wrote to memory of 2100	756	mscorsvw.exe	51
PID 756 wrote to memory of 2464	756	mscorsvw.exe	53
PID 756 wrote to memory of 2464	756	mscorsvw.exe	53
PID 756 wrote to memory of 2464	756	mscorsvw.exe	53
PID 756 wrote to memory of 2464	756	mscorsvw.exe	53
PID 756 wrote to memory of 2392	756	mscorsvw.exe	80
PID 756 wrote to memory of 2392	756	mscorsvw.exe	80
PID 756 wrote to memory of 2392	756	mscorsvw.exe	80
PID 756 wrote to memory of 2392	756	mscorsvw.exe	80
PID 756 wrote to memory of 912	756	mscorsvw.exe	60
PID 756 wrote to memory of 912	756	mscorsvw.exe	60
PID 756 wrote to memory of 912	756	mscorsvw.exe	60
PID 756 wrote to memory of 912	756	mscorsvw.exe	60
PID 756 wrote to memory of 892	756	mscorsvw.exe	63
PID 756 wrote to memory of 892	756	mscorsvw.exe	63
PID 756 wrote to memory of 892	756	mscorsvw.exe	63
PID 756 wrote to memory of 892	756	mscorsvw.exe	63
PID 756 wrote to memory of 1120	756	mscorsvw.exe	66
PID 756 wrote to memory of 1120	756	mscorsvw.exe	66
PID 756 wrote to memory of 1120	756	mscorsvw.exe	66
PID 756 wrote to memory of 1120	756	mscorsvw.exe	66
PID 756 wrote to memory of 2172	756	mscorsvw.exe	67
PID 756 wrote to memory of 2172	756	mscorsvw.exe	67
PID 756 wrote to memory of 2172	756	mscorsvw.exe	67
PID 756 wrote to memory of 2172	756	mscorsvw.exe	67
PID 756 wrote to memory of 2176	756	mscorsvw.exe	68
PID 756 wrote to memory of 2176	756	mscorsvw.exe	68
PID 756 wrote to memory of 2176	756	mscorsvw.exe	68
PID 756 wrote to memory of 2176	756	mscorsvw.exe	68
PID 756 wrote to memory of 580	756	mscorsvw.exe	69
PID 756 wrote to memory of 580	756	mscorsvw.exe	69
PID 756 wrote to memory of 580	756	mscorsvw.exe	69
PID 756 wrote to memory of 580	756	mscorsvw.exe	69
PID 2276 wrote to memory of 2068	2276	SearchIndexer.exe	70
PID 2276 wrote to memory of 2068	2276	SearchIndexer.exe	70
PID 2276 wrote to memory of 2068	2276	SearchIndexer.exe	70
PID 2276 wrote to memory of 1980	2276	SearchIndexer.exe	71
PID 2276 wrote to memory of 1980	2276	SearchIndexer.exe	71
PID 2276 wrote to memory of 1980	2276	SearchIndexer.exe	71
PID 756 wrote to memory of 2956	756	mscorsvw.exe	72
PID 756 wrote to memory of 2956	756	mscorsvw.exe	72
PID 756 wrote to memory of 2956	756	mscorsvw.exe	72
PID 756 wrote to memory of 2956	756	mscorsvw.exe	72
PID 756 wrote to memory of 1632	756	mscorsvw.exe	85
PID 756 wrote to memory of 1632	756	mscorsvw.exe	85
PID 756 wrote to memory of 1632	756	mscorsvw.exe	85
PID 756 wrote to memory of 1632	756	mscorsvw.exe	85
PID 756 wrote to memory of 3000	756	mscorsvw.exe	74
PID 756 wrote to memory of 3000	756	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 280 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 254 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 298 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 284 -NGENProcess 264 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f8 -NGENProcess 29c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1f0 -NGENProcess 21c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 248 -NGENProcess 21c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 2a4 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 21c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 21c -NGENProcess 1d0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1f0 -NGENProcess 2b0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 1d0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d0 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 264 -NGENProcess 2b0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2b0 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 264 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 27c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 27c -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2bc -NGENProcess 264 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 264 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 298 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 308 -NGENProcess 310 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 324 -NGENProcess 314 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 300 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 300 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 300 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 310 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 314 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 300 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 310 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 314 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 300 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 310 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 300 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 310 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 300 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 310 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 314 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 314 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 380 -NGENProcess 310 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 300 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 388 -NGENProcess 364 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 36c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 390 -NGENProcess 310 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 364 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 310 -NGENProcess 394 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 36c -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 394 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 394 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 39c -NGENProcess 394 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b8 -NGENProcess 3d0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3d8 -NGENProcess 3c8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 394 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3c8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 23c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:288

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:908

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
0f91f095c606f992ae047e244267732d

SHA1
a98ebd4ea6b12202cab9352db795491f1c5be3bd

SHA256
96888d3bb64ab2b34b184b2d08bd0a641d49cf3bfadc71fb3c63d771bccffab5

SHA512
2937e87da4bdf76aea7d526df19693877625f3f78b5134ccf1091074e5d97ade06784b99f343b74bc34d8340bc96c212c0fe47e7085352afc4f6923344a81e85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
08b3d3e9936da17c08ec6a462a7e6712

SHA1
24cacee21a0ac301b4d2db004e494dba63b8144a

SHA256
63bc367af1a2ab9e72b0d5b1f7ad692da5c3e3a23f0882ad8a60bdf25a62f1e6

SHA512
f9949c3a0ef61064ef1650342df81e86bde130500dc3b1f2c219d71419ac27f94435b9bcc0c5bed4e6fdebe40c6599fd7388ac40142c9559ebe6774fa2420b31

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
4556bbc442f9c0cd3dfa9ed86f6c6fd2

SHA1
9c49d2a1839a5a7c5519dc4f5f845c7382125b96

SHA256
08a9cbaf9c7057640503db32a335ecc9eff89eda07fbb7e04f83f1e205b872fb

SHA512
72621fe582ef3c620e47a91b74171002db0e9083c5c90c775b209385697320d00a8275175d90113e0f55aa34c1a70c55394eea2ad372fe97ee9de3567ebc80f3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
d321724da6cd0cbf490011a3312b81a1

SHA1
79442d60e5a50ae6e3b27ace0e9ac7ff38c04366

SHA256
fd9f7dd726f59a8c31ee0fa3132b8442b8d1b31ab96816e0aa8e6a8ee65e26ce

SHA512
7eeab44eae41e11cfc115260a9021a2f7e4d10532876d3672fc6bae27cc72205c0ead07e0911a3cdf49ee34a8ffa9408dd30dedce66840e2e3294c7e99aa8a98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7d5998a7339ca03399a9853e2436fc95

SHA1
e0c874091776bcd2c14a25ce6a3b6510d9c713c5

SHA256
d056859764ade4df82f78a5f1162390083706576ce66e2ec45c10f30b9a20d89

SHA512
6b87338e9cfd0d885227b32afacbcef866d675f9e364278a95fb952a9444c1c98922abcd2333804ed56a24aca07fd5faa36126d585696c6e5523fcf82ea2c770

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c8a413b47ca271f52becccec51a9dea6

SHA1
028907be4945457307c6b530b48028127bc19073

SHA256
43c7ae66e96e3c118d145c79edece7593c16f5ec93a3780791fd741a3e642585

SHA512
f709bc999c79ceb773ce1d30702411949fb65b1e99a40dca544404d3107ddabd983bda28e1d9254afd98ba6b4f4957ff9e7ebdb8a7348882824cdc8102103be4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
2daeb42de0bd9d182c48a06d2771f48f

SHA1
c788ea5d0416fa8b7fb98b48c74d0abf8f869fce

SHA256
eb9d5c5b465b6d1784820867350d8811e36e603c577c184c82c74d4a13e7a9eb

SHA512
a1d5e9611b3a033f894e19968b5d0e82912b7af76d2eb31036cbe62e424ff235b09f6c46c403d57397650fe07bce2a6c9d4258fa4e62d8bdfe9a15936b6eeafd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
15ed8590c242a161bd66e3295f1bff2e

SHA1
a2cb3fe8c2b17452e6d5447dfd0330681f8a720a

SHA256
02540c831e0441a7222d04c055533f1a7d5011b95f610750c38fc73c3f1f9ff7

SHA512
54dda275662e3c37cbc361bdb0b5d7333b114943e9ea3f248d390f54c4a96fe21cd892fbc42265e43d95d4bf74398f9f6550f340d3e06133c7e9e63150ee9dc4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
831db694f4b87bbea0b949bbf27bad68

SHA1
b24311a28a8ce651d510eb556ab08c71a0522f0d

SHA256
792355c23daa358810478e09ab892f3e614e90c4df96e6cc6afb7556b0775fff

SHA512
b58591d97604374f9a449adb4dfd30ed4856806609eb94e8c7456eb49da7c583ad3421c45074a16e90c29b6a77f591d83a7de39c5c62e45b34f746279d45155d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4b22a4962bc14004aefa8d2a8dc36088

SHA1
a061366f6806b0d8861dcd26c1bc40aa01998c6b

SHA256
3074df177264e4e4d9dc1362db2a697963445bbf614df2d2de77511fce7d8423

SHA512
d8d8011dde167114a2d54c34351ad308ae5d0de0fb641d393cac0c590d0030718b42e34b93e9a359974af6c64470a9205d75509d98bd14bc1b1bf4b2f2e62654

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4830500e8264fa303fc7b63c98e8d258

SHA1
1c85b1a2d3dac41f337bc57779fccd1212f3169b

SHA256
8cc3de24dcdbed49f1602923af935be5c48fc46f0b0b7a628d7aedb15afc9886

SHA512
069cbb406101fe6d68c4cbac9ef08548da71b9b63f0045bf91818cfb07553969e7f337a4e27a8a026cb4d0dcb5cd451d27782b01d9dc84f4e375bf3bcecf7630

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
71c0bf6ba4c56e11d3dc92d404c29649

SHA1
7c5bc76baad5a1eeec1bf32d4b8e9a5c8f4219ba

SHA256
585d011a8731da4a1440deac29185be08cfa435c3ba9d383fae96162852fb924

SHA512
39eafa862ac646595cd48d893647411adb03ba0609aa3f2848728b234f2ede82343f58920004f7b0919143ef9d869eb56bdc5591a1665279dfe1337d5280cd5e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
1ef2ba58d67d5055c4960ef5ecf548ae

SHA1
fe37e81342ca7d49518b74623536f0eff54711a7

SHA256
cb26c3aac2f845714071c4d469859bd5a6d35a2fa2b1b46bd291a2de91694b54

SHA512
54d0d3b0a8ec8195d037769063c6646de1513069ab7b955870e33cd98fdb3dbae9323423cbcc0f0c26df6d7b1714a5e73d14b0191844bff94eaed1762b0cb2b0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2d383ed18c01e11e00967c4ad2191db9

SHA1
1006c391e1f93542f1f7ddf6670e5c147bdc0fd6

SHA256
2c86311d9df7f08865389531a736927a24046778661ca23cd4097dfd1f4de609

SHA512
393e76d94b783b93ce77ab57349b39b2886554e94467df2f3418adff6be117b305c548c0e37f3ef352a49d4694f8fccfbc3ab4626cf62b8189b291ed828dea70

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ebb937ee33eb59736bf362c84b01c251

SHA1
1512dd6f3e6a4970b79e67810b42e82e24ddfc8f

SHA256
acc69e053af1caccad0605178a445f06efc2c7033d1c6c4cbe6d5adb6bea64e5

SHA512
72f877dde926161113df3b6c04f8953474cfd67814c0c86a37824f0ff0203e0655dc1f293825e8d52e95f06f193f6d4e96faffaa186f7aa7adc91bfab4936a12

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5795e73e805883238625cb4f707c6da4

SHA1
923565757e843a08a6d23dcadcb89c66d6097e8a

SHA256
08a8f197c2f97924ae45581e5c80f5a1e34c5c166866741ae6e93d2e6607e6a9

SHA512
d0896ede8769a9c3943b319e25b23073625ca4cb998ce8ee18d64ef662f29c40b9c50292f1debb22a705a1f4dfbe7eb26fb8fe7a55b21f91c40a5fb385ef78c2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
c1ad7edb92dbbf6d9e093c30de55ff9f

SHA1
3447e231be7541b36ab12b28f50605ed92cc7aac

SHA256
c09ac9b78bcf7946d295bca7dc3e5b1e931318fda397b81520e5b2b698e78999

SHA512
42279ff246c9f55afd8d9d3956e13a714cb79888e1505db39d1a08ef439d9dfb76cc06e380b0258681ba1e35dde75afdbbf3cb13f18df6add81bf4d448893a12

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
cc2e7637bd1a65b1c51434f1a09029f3

SHA1
1ca9e1ec3c5bafa92e6009673f5a158647a7a84b

SHA256
a092a0422057761df1e8e35d7b57de572f0604eaf6272be456789b70f61d6318

SHA512
068519528cc5ccccbe5ae8122e0f4bb4ad8de3c8f6eb5dc74e02540a464d0a4be392137dcc6a330326f02c8ded8759341edfcaa4d1f42df9cbbc18e45ef5d064

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d4ff8d37242d9d326cc72002d41bcd78

SHA1
06ce58cdd96fc38090b1b7a7946a42d6d68665c8

SHA256
e447a3f2255720a78769b40a06ee67174c273464eda14ba8d2f8fe393579d88c

SHA512
1663b3c90f3582f3d1e63d334f6045c43a0d4c1fce716e73efdb662aba1ec894d05fd615b44dab0c999042daef92ad0cda4453f75e7cced1d58fee0005d9834c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
cbeda5965856b0a0d4d9dc1eee89e5a0

SHA1
b1912ec21a681558dc8f68ddae3cf2dc271a9f12

SHA256
865b1121c4436228351be8f8e0065e044fcce76389cd4dbf03ac0e9128a8cf55

SHA512
25adc112b64f823ee43eab632442cb2dec5b5e7d572f00ee7fe8e397332f9eb7ba385438d45c71eb131eeb6df042abcd0fcd584cf9bf124ee9a755c0b91eee5a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
7179867a18ea0539e5767a6c8c93c891

SHA1
a14639ecee2c5eb6b8a96d38c71d163f9bae9668

SHA256
5f19dd84f6ae40e14f0e9ead72c74ae2b3e80d95bf70c57b662f63dc5f9e6aed

SHA512
a1f95717f9516d813cfa004ea2abf253151f21b294a06c946fb65ffef2b2f90d7d3d27445810345a2011d27dd119f1657269d6899f3a2b10157cd5a90858851e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
74f400ca03335f30c05a6c140b60d746

SHA1
d7a435e7faf44f8d2144636dacd59703cfbc8702

SHA256
fe9a0f0a9e863ee7f13ce7f0182ab2350bff279b7f343a815f586ec85e446f82

SHA512
428e455bd3d1b7284480b56615f1799c38cc35e97144d9d903655c638123fafa3a7b4939d572e02ce21453cd549ca728d21e1ce6766b7244f70858011edc0dd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0ff2f63c61026897b12d8b798c008429\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
b62e224cf0f52c5742c12d0c302462bb

SHA1
5ffbbac15a74168f6180b04b6000fedaf29b7d6a

SHA256
8fcc3870bdc7ab6554dec65d7d14b79fb6293e8ca352e86d3b57ea88e8653052

SHA512
de9bf0ad5e3e0e427f6f5bc2b9117bb7cd809fe7721a0f0d45d70544befbabbc90f5e6468a5d73159317f08f7341a9a10adc6c96a006ed8a2686aff3c10842b9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2bb0471745b3e7d9e454efd5688704cc\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
065d6bed8d0924bfbe4199d47a592bd6

SHA1
5a1e759616c238f699f4102110abffac72373b32

SHA256
910ee3140144e184c0173cc0487e78643deab337e536c4674db0677e7fd7c84d

SHA512
6db100b58c32a2c34148a30672842e0fd7acdc9a626a8568283367fe527cd21bcfd9f7ae21081225e1a048e696c87615269314dfe26246f18643b57dd42aa32a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a1714729b8606fcb1746b2c7c6569f4f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
217d4b7adda87569259cce23962824c2

SHA1
8fba6ca74315b61a57063c84c4ce7cac2da7f6a3

SHA256
b3bd23796d7c618eba04f172a60f15c125f8c7bab6dfd36d9d6a1ebe161e8b26

SHA512
6deb877403b297d35231ae04c1d0c65169898a926de867f6432e25cdd4fbc220e787fa3d2c44f8ae0c58ed9e9fcf3f574e248f8f655cdddf611ead7506444f03

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
9cbc20f5ab2464a21363d119fe36a11a

SHA1
f471a62cbb36c92153fb8fa26ea5297750256ece

SHA256
f3b983ad39d9bc6d3917ecfb02d4048e8d9c776b48eda8043278289b751d6c58

SHA512
14ac54c018b63a6bb9ab4085e78893b129ab88b368a9100073265b19a9e2e713c344ba7c47ba61e4c79fb4e63efa4fbb6d415723a9c045f81b037f71c2f8310f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
ee794c7ba175970c474fc1fc2314a80c

SHA1
975fe55dcde1711b2c57ccaa267d3ab04c860b53

SHA256
bff5b67eaedc0b2311909d9b995f6ab6faf0537f385b5f1730daabafccf96d00

SHA512
828adae51544a80f122f8743806f88d488daf259a4c784b519137525e828374127467699a7c09f23f64ef9fce514100881e631b1de3a5785018732a8204629fe

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
eb4b2023db32cab2b69579b7f3c3f6f5

SHA1
1bca6df80b7249356c69dbebc27c255d1169ff87

SHA256
bb87692971f7cbb5a57e6dc16b26a48a7623f88752feb8b5696a30ce5f194766

SHA512
7d43a21b77cb4e63af538f0959a3fb436dcd77b12e09a9e4ce435cc3a904af725c3ff14ec3c71b82cee27c71a1fd282b04d01a3ed141d62f7708ec86839cd7d4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
78b5d1c0c46d9b7e634a2d63d9a77d3d

SHA1
2df8dc8c40c0f177b9aaf7ff408af9f669b1e735

SHA256
e98b27fd1c6a28d1ffb6cfc0bc293cf1a8930d1fab1d924b601c801a59be8179

SHA512
35c19697e86498ac6b1a86c7236210d5aea7e78012a5bdc7ce05f0ab0327f8bf0be2ef58e041dd0a319abce2b05c54fbd272355800dc20fad1d1822642866b84

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
ea8c45e720b90e60d467e7fb2208fbc1

SHA1
1978cdaa44f416fb1336b32f1955904fc85ca73a

SHA256
752bb44bb5e02b0cef77a62e493b69c147e99980475f0b41a0b61babd951101a

SHA512
57a2165b74c949663fb3c1d613592a5ae2fcf473d8928263e657074b4e195e9eaacbad867b8bb7f37321ec53885ecc0e8b58a7bb7d5530747c094fe0bdae1a65

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
9fc86500ece7eb6d9e182d6f8cc600a5

SHA1
00596ee80849bceda9008602fcacfa93a1292180

SHA256
786cfec7e54c5a4841c04b1dac354780d0c2c7341ac322c1b6933ec2c7329ff8

SHA512
f901ae2d27b161684b65d87ce1ebb11f293f2f3491d5429182d9a830c0cbf35ce1a06c8913f69284cf640f0ab52b685ad23b6b38597cc4a95f926e59c9fbcc38

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
0ab336a1fb49b1f51ecafde92c7eee8f

SHA1
6fb4c40be3bf72e5fd1a810e1df36547012dc182

SHA256
c9383fcec0a11ca6f662c2fa3f3d9b33d12c122c0963ea3d2e19dcf6538a1f3a

SHA512
cfe570d23e5967da273c8526ada24988721c57e80a842f60cc3fc20556cb010959b7236ab0a10694e494b0f61a703fdf94b7baf087dc501dd4c3b5b36badddb4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a41386564ba26ee9d6de71a38f205e5b

SHA1
5a9d81d12def2c3cbc9c200cded55cbca2b45746

SHA256
1dfb659558d89f947a9782232031855f33201d94416d9a5761be71399e29c33e

SHA512
e8dc1a4115e6094865165574b65795cc8cb8a3ea07f09c9f0c11ecccb6862a1ede0827895f98545c29ec4fa7e7f4c259e091ee6fa007f921b471cae2d6245b2a

Download Submit
memory/288-197-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/288-193-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/580-625-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/580-602-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/756-225-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/756-81-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/756-996-0x0000000001CF0000-0x0000000001CFA000-memory.dmp

Filesize
40KB

Download
memory/756-75-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/756-997-0x0000000001CF0000-0x0000000001D0E000-memory.dmp

Filesize
120KB

Download
memory/756-998-0x0000000001CF0000-0x0000000001D0A000-memory.dmp

Filesize
104KB

Download
memory/756-1001-0x0000000001CF0000-0x0000000001E8E000-memory.dmp

Filesize
1.6MB

Download
memory/756-999-0x0000000001CF0000-0x0000000001D7C000-memory.dmp

Filesize
560KB

Download
memory/756-76-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/756-1000-0x0000000001CF0000-0x0000000001D94000-memory.dmp

Filesize
656KB

Download
memory/892-481-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/892-437-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/908-264-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/908-387-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/912-447-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/912-422-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/936-130-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/936-256-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/936-948-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1120-542-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1120-487-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1148-109-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1148-110-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1148-116-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1148-243-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1152-296-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1152-155-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-300-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1200-894-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1200-169-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1248-251-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1248-267-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1264-617-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1264-408-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1544-425-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1544-308-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1632-638-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1632-653-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1668-865-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1668-459-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1716-142-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1716-276-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1716-802-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1720-343-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1720-210-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1800-234-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1800-93-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1800-101-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1800-99-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2076-330-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2076-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2100-346-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2100-331-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2128-254-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2128-209-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2172-544-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2172-561-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2176-606-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2176-576-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2212-421-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2212-298-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2236-333-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2236-450-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2240-92-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2240-1-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2240-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2240-8-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2256-277-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2256-321-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2276-463-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2276-888-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2336-574-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/2336-383-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/2372-351-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2372-484-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2392-373-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2392-413-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2428-237-0x0000000000570000-0x0000000000702000-memory.dmp

Filesize
1.6MB

Download
memory/2428-350-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2428-226-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2428-371-0x0000000000570000-0x0000000000702000-memory.dmp

Filesize
1.6MB

Download
memory/2448-396-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2448-600-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2464-372-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2464-344-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2608-44-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2608-38-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2608-66-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2608-40-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2628-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2628-34-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/2628-154-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2628-28-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/2828-121-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2828-14-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2828-22-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2828-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2856-54-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2856-61-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2856-55-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2856-85-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2860-784-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/2860-426-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/2956-622-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2956-642-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3000-654-0x0000000003CC0000-0x0000000003D7A000-memory.dmp

Filesize
744KB

Download