5ea1fb400f4c14b19fbb4be1eecfa4a4dbc316163ac3d4990477f7f6a179f1cf

Analysis

max time kernel
139s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Size

1.8MB
MD5

041fe4779101e41b619ee0aec34c02a2
SHA1

1b4885ede973712665cbf783162fce1f6746eef9
SHA256

5ea1fb400f4c14b19fbb4be1eecfa4a4dbc316163ac3d4990477f7f6a179f1cf
SHA512

4bfd2c05e01d4b525f7629d76f058df9485c75d96ded922e1d2c91af59679f15662dad224bf04ac7e463aa5f76e9d86c4b03ccf3b427641e06dc2b827aad1bcf
SSDEEP

49152:GE19+ApwXk1QE1RzsEQPaxHNuDmg27RnWGj:L93wXmoKGD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemscorsvw.exemsiexec.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEmscorsvw.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exemscorsvw.exeWmiApSrv.exemscorsvw.exewmpnetwk.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
2712	alg.exe
2544	aspnet_state.exe
1976	mscorsvw.exe
1488	mscorsvw.exe
564	mscorsvw.exe
2608	mscorsvw.exe
1792	ehRecvr.exe
2668	ehsched.exe
1552	elevation_service.exe
2264	IEEtwCollector.exe
1312	GROOVE.EXE
1400	maintenanceservice.exe
1556	msdtc.exe
2064	mscorsvw.exe
2352	msiexec.exe
2852	OSE.EXE
524	mscorsvw.exe
2944	OSPPSVC.EXE
2492	mscorsvw.exe
2472	perfhost.exe
2828	locator.exe
1816	snmptrap.exe
696	vds.exe
1644	vssvc.exe
2128	wbengine.exe
852	mscorsvw.exe
528	WmiApSrv.exe
920	mscorsvw.exe
560	wmpnetwk.exe
900	mscorsvw.exe
1752	SearchIndexer.exe
1996	mscorsvw.exe
1580	mscorsvw.exe
2884	mscorsvw.exe
2404	mscorsvw.exe
1836	mscorsvw.exe
1548	mscorsvw.exe
800	mscorsvw.exe
240	mscorsvw.exe
1252	mscorsvw.exe
2920	mscorsvw.exe
2252	mscorsvw.exe
1548	mscorsvw.exe
2196	mscorsvw.exe
432	mscorsvw.exe
2360	mscorsvw.exe
960	mscorsvw.exe
2452	mscorsvw.exe
1284	mscorsvw.exe
432	mscorsvw.exe
852	dllhost.exe
2868	mscorsvw.exe
2376	mscorsvw.exe
1488	mscorsvw.exe
1728	mscorsvw.exe
2040	mscorsvw.exe
2436	mscorsvw.exe
2180	mscorsvw.exe
2804	mscorsvw.exe
2912	mscorsvw.exe
1076	mscorsvw.exe
1048	mscorsvw.exe
2576	mscorsvw.exe

Loads dropped DLL 53 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
464
464
464
464
464
464
2352	msiexec.exe
464
464
464
464
464
744
464
2040	mscorsvw.exe
2040	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2912	mscorsvw.exe
2912	mscorsvw.exe
1048	mscorsvw.exe
1048	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
1284	mscorsvw.exe
1284	mscorsvw.exe
1820	mscorsvw.exe
1820	mscorsvw.exe
1844	mscorsvw.exe
1844	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
1560	mscorsvw.exe
1560	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
2844	mscorsvw.exe
2844	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
1756	mscorsvw.exe
1756	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeaspnet_state.exeGROOVE.EXEmsdtc.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\524965b2ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_state.exe2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exe2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58AB.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP53BB.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP37E2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3DDB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4E30.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP565A.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4422.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3459.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP400C.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchFilterHost.exemscorsvw.exeSearchIndexer.exemscorsvw.exeehRecvr.exemscorsvw.exemscorsvw.exeehRec.exewmpnetwk.exemscorsvw.exemscorsvw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006094135ef1adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{97DE21D1-2F6F-4582-B93E-C7C2A56752A9}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ehRec.exe2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeaspnet_state.exe

pid	process
2876	ehRec.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
2544	aspnet_state.exe
2544	aspnet_state.exe
2544	aspnet_state.exe
2544	aspnet_state.exe
2544	aspnet_state.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe

pid process

2760 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe

pid	process
2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exeaspnet_state.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: 33	2872	EhTray.exe
Token: SeIncBasePriorityPrivilege	2872	EhTray.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeDebugPrivilege	2876	ehRec.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: 33	2872	EhTray.exe
Token: SeIncBasePriorityPrivilege	2872	EhTray.exe
Token: SeBackupPrivilege	1644	vssvc.exe
Token: SeRestorePrivilege	1644	vssvc.exe
Token: SeAuditPrivilege	1644	vssvc.exe
Token: SeBackupPrivilege	2128	wbengine.exe
Token: SeRestorePrivilege	2128	wbengine.exe
Token: SeSecurityPrivilege	2128	wbengine.exe
Token: SeManageVolumePrivilege	1752	SearchIndexer.exe
Token: 33	1752	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1752	SearchIndexer.exe
Token: 33	560	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	560	wmpnetwk.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeDebugPrivilege	2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	2760	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeDebugPrivilege	2544	aspnet_state.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe
Token: SeShutdownPrivilege	564	mscorsvw.exe
Token: SeShutdownPrivilege	2608	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2872 EhTray.exe
2872 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2872 EhTray.exe
2872 EhTray.exe

pid	process
2872	EhTray.exe
2872	EhTray.exe

pid	process
2872	EhTray.exe
2872	EhTray.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
472	SearchProtocolHost.exe
472	SearchProtocolHost.exe
472	SearchProtocolHost.exe
472	SearchProtocolHost.exe
472	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe
472	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 564 wrote to memory of 2064	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2064	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2064	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2064	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 524	564	mscorsvw.exe	WMIADAP.EXE
PID 564 wrote to memory of 524	564	mscorsvw.exe	WMIADAP.EXE
PID 564 wrote to memory of 524	564	mscorsvw.exe	WMIADAP.EXE
PID 564 wrote to memory of 524	564	mscorsvw.exe	WMIADAP.EXE
PID 564 wrote to memory of 2492	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2492	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2492	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2492	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 852	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 852	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 852	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 852	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 920	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 920	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 920	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 920	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 900	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 900	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 900	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 900	564	mscorsvw.exe	mscorsvw.exe
PID 1752 wrote to memory of 472	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 472	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 472	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 1640	1752	SearchIndexer.exe	SearchFilterHost.exe
PID 1752 wrote to memory of 1640	1752	SearchIndexer.exe	SearchFilterHost.exe
PID 1752 wrote to memory of 1640	1752	SearchIndexer.exe	SearchFilterHost.exe
PID 564 wrote to memory of 1996	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1996	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1996	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1996	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1580	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1580	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1580	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1580	564	mscorsvw.exe	mscorsvw.exe
PID 1752 wrote to memory of 1704	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 1704	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 1704	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 564 wrote to memory of 2884	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2884	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2884	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2884	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2404	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2404	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2404	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 2404	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1836	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1836	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1836	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1836	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1548	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1548	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1548	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 1548	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 800	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 800	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 800	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 800	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 240	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 240	564	mscorsvw.exe	mscorsvw.exe
PID 564 wrote to memory of 240	564	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1976

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 278 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 270 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 288 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 294 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 298 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2a4 -NGENProcess 244 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 220 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 268 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 268 -Pipe 220 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 27c -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 24c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e8 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 274 -NGENProcess 248 -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1c4 -NGENProcess 24c -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 24c -NGENProcess 1e8 -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d0 -NGENProcess 248 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 248 -NGENProcess 1c4 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 294 -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e8 -NGENProcess 1d0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2b4 -NGENProcess 1c4 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 1c4 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 1f0 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 28c -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d0 -NGENProcess 1c4 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 1c4 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1c4 -NGENProcess 258 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2a0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d0 -NGENProcess 258 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1f0 -NGENProcess 258 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 258 -NGENProcess 28c -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2cc -NGENProcess 2e4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a0 -NGENProcess 2f0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 258 -Comment "NGen Worker Process"
2⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 304 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2a0 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 300 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d4 -NGENProcess 2f8 -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2d8 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 31c -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f8 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2d4 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 31c -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 30c -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 334 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 30c -NGENProcess 340 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 318 -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 34c -NGENProcess 338 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 31c -Pipe 344 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 318 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2d4 -NGENProcess 31c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 31c -NGENProcess 330 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2f8 -NGENProcess 35c -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 364 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 330 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 368 -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 330 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 374 -NGENProcess 2f8 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 36c -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 36c -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 384 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 318 -Pipe 354 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 364 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 318 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 364 -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 318 -Pipe 388 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 318 -NGENProcess 398 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 3a8 -NGENProcess 364 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 364 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3b0 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 3c0 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 3b4 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 364 -NGENProcess 3c8 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 330 -NGENProcess 3b4 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a8 -NGENProcess 3cc -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3d4 -NGENProcess 364 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3c0 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3a8 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c4 -NGENProcess 3c0 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3dc -NGENProcess 3e8 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3c8 -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c8 -NGENProcess 3dc -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 364 -NGENProcess 3c0 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3dc -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3c0 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3e4 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f8 -NGENProcess 40c -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f0 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:432

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1792

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2264

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1312

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:528

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:472

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 604
2⤵
- Modifies data under HKEY_USERS
PID:1640

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:524

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
5c8014f103eb416b8dce203338fb99e3

SHA1
48700cc8854895eab65a7eb10b61b2bf391db815

SHA256
e54593dd0fd7436d3c0a455d11bb771d2b7fb4bc8f2ebaac05296c21f1985bd3

SHA512
0e5e0b8db2cf5d27ead6f2328345c7186de208a4c1124617c5a6940e741a8c9221d2cc1221bd4cf0453be7131a7f2ef544eb86d21ce7182dea511e156b3a67d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
e89f5ce941b99a5d4a001fcda1fe6821

SHA1
320f951e964f9d0f08ccb3ae84e09aea42623172

SHA256
7a6166f401724ad0189e76023caa524d92fc44be45a6e8fc8c987e8c1ff420ca

SHA512
dd5bcd55d7c9655364f5bb3f24329d7851b698f85d616a8964d652575858645069058708a216b44f552d9c5da0f8f774c0cd2011f52aa5123c1563bd27052234

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
b152e823db5c09ea076017d035e8aa73

SHA1
77b534b2eca25839b8f8126b7e6d11715c664108

SHA256
2f806f36a746c6a33e8e9aadac2dc13158a38b988860f0698df678b75bc5a024

SHA512
c6d8aa7b824836414c6b518878685683cd21c6bd7910128e6bf1add9cdbdd948002b30b1de761fcf8d8659c77be32a208e266bd8fc9d7298a7dd2f8e24ead5dc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
6e0ecc319a4cff1372b251d3b9d3d464

SHA1
27ac4a72af6e36c954c5f93d4d94059557b50420

SHA256
d891f8ccccb1704e0a7d42c1c55f4f36d3c7f3215c190ad28c0f1a95424a73ed

SHA512
543f41ce5929e371333fcb2ae25dc3107cf139a2b4a8d6cfd119270f933c068675293e4c0eb942578bde1c565835b4e4d6b443905d9fc8fb5da68b5f874182b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
445e0edeb03704cb84ef8a33299bd3ee

SHA1
47d464f2f2b2465ec6f16f65b9de05d391ded31c

SHA256
05a732bc041304168cce589e5927ef968f108f80c38d9eb4eae7f444d4a116f8

SHA512
e09bb77596c80db78e59c953cf5db66afdf0899043ffbd89eb4f789865c73610dfa973b97b6f7f0bf8b5f86e773a193a537d1dd7575470e07c26d53863175f2e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
f1d4cc775f6662f5297c5cf0288d952a

SHA1
0013d7a769937bc8751e57399f9ccfcf3e99b75b

SHA256
ebd532782177d5f8c5090ab1946af3829c25967ac57db35d452fd14b494adfbf

SHA512
6e3a38a0c6c941788c0b8ceb7545cea712086d512ec4598880e2703e101eba019eeefeef33862fb420f532f95b0c2a502fd83be94a37dfeab761373ed109297d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
4827153e418ff08363637c8f0d3c0f73

SHA1
b145f33cb9703f31a274dd0d8042d52e8bedc2a4

SHA256
126c7e88178fde2d0efb3c234f662853c188f9e9f5096f25d7f10e55d5bf16b2

SHA512
fe5d55873ea8c8a97b76c6d1ce2572825e347cb0a155522021a264192e9a0c5fe3352deb493e75a15b104473ace3bb7fb5a7e259df23b2d9dcc04db2ab18a375

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
ec7ba77648736dd0c1857a41c4ea1a73

SHA1
4c68a7ea95173dd52557d57d3a214b9c8ae0754d

SHA256
be22cc4535293ee26a0ab83cb82acd9e38f69bb7d2479febf7e70d68029792c1

SHA512
f6651a248331d3612d23b4a6b2612e587d37c8585b98c87d03b5f138186eef4403b941c881f4a9983e6511c6b3c3b9e388edd39df9f542439f4a032e40d7ff27

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
aa151bd5d881231bb39bf07299638b58

SHA1
8157de958904212b340e6c4f4924b53b353feb8f

SHA256
e1e38da97aad4bcad432f07acb68db8a04de558c890b321fc121282e8e0d7743

SHA512
93035fc2657001a9e5853b66ed3bedec89f6c234a2511b490305ef622b08d9d779d91f6c8d512368f7e4b6506cc74af99f7c4971e37e0aedd010855d7d0f83ac

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
c6b0dd8b6c8685dd5b5887e8186532a0

SHA1
5a5e8f7e54bb6f8b42e61b43e4dacb8a9a1c062b

SHA256
c9341020f2f82e92cfec3c10574d9f30bd4958a2079529e5a330f4c4c7b0b48b

SHA512
6872af221c8714ed8ce45c34e8edb18457f3a989eb815e931fc3afc68c819f3fcff8d9fe55047cb5a8b6d02ebfb138c98b556e3343788003ed8d366caba77fe0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
2b8a813aba344f0b5f402a146e54f74d

SHA1
eda49dc307300e1ed944a49a879ebd6454e8fc46

SHA256
9a293689d067513ac7b03973b295349c5ece628f3abf58059339c7f9c76665cf

SHA512
1d818bf6ae889f0768dcf70361348775713589a287d60969d77e9fbdaf9efff14068acb9b1fd2fa2ce0d8fab9f50d5d754f806e2bb4e55b3acea10a48223f53a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
21bc5c36619a6aa2b136e55888756d7f

SHA1
756f80b4f4acf0e5b6771a4867b920a8aa7fc727

SHA256
5e9d29d9c7a7ab6c0a64af289c1e12381001ae6c5234ec407a43477fced2090b

SHA512
4c021c731a6b2d0e0f28f6335fafc58746193e15f69cf9ca33c2c4fa458820b221320ceb949ed99178af5f7f1b6ef54ce0b807b4e934744d342c1ea8d83c6db3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
503a5f4bcfc06bcbae5b81eb5a1702a3

SHA1
ae813f0c324083d73e5fea61a1e3846767c48e2b

SHA256
a2d4352eafcb3c1a4f43302b58bdaa4a2caaf3e6ec69d8cee4d08088b59a66d6

SHA512
de5f6aed913487eef2683caa5c2dcf7308d6fde3aff94a2e09296479ed52faa6070236c968b90549711835b39f356b3c9ffd4c6ed767ece4d5fea7d3bc1d4f93

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
51b1b6c524bacde4d19a1223b9de34c6

SHA1
93f9fcf755b83b485c05c842a083c89953ef885e

SHA256
78a2a97d820f5dfc975b129ec3506fca5cb26e5017b50244a356f3b504dc7e05

SHA512
d220309c76f39d2a240437d9e730a07f73c90cd19a9262c67251d794aa5de579f505cc33f17ca63bca97b542875ac905fcaaa35a6e33ca6cc9d88fd5f7c6fb55

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
75809feeb50764f977af4dd7db0d4e85

SHA1
ef82773a02a975c62b7c65a4988c897426210266

SHA256
ab0ed32377bf30f9c4866a4e9e490412cc9c7f30b040cc5c609b6366cf0f7637

SHA512
c174eae5db5ff5bd5a081367f55effa72c163ef7f444ed0a6be73b40493e3f32c9834320d160d5c0f1844221ff9b198b270339e2e913d805572debae59da3c3a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
9c4c363c09ef6c8c419f9ca90e7d8162

SHA1
61157fe11331c99cfcc66b40b5c1c64cc96af3de

SHA256
7289673de6f0f76f810402b5cebb9f129558a2d0ef0ea1332005bad201356ead

SHA512
c2ae257a3a6c106621fcad4097499c74da8e50f1030090d265b6ea812f60f534c16013b8c5faa447de5ea1af8560d1f32f56fcfc0652cb7bd74d21349000c763

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
705KB

MD5
40cffc96f18c2140cdd8da61afd2b8cc

SHA1
9522cab401d7c85461d5c59d887ac4b8f85b256f

SHA256
121f64a2d7fd3ef557d65f0fc35e65972e704856bef317035d95fed1b14e39ac

SHA512
a04b124dc9f089055a1d902b11a8c5fbeb23997642e936cce42b59ece46583a4d45fee2171431f614234b249560dc6cd3413d422f5499cea6855e39638838ef7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
6231e89f823ee2dc1f4ba60e92ff6ee6

SHA1
3a6fdf36b45571603e9c7232fc18888c2f11dcbd

SHA256
46417a2f81c6c61967efed0c345fcf7e989956a8a9a97933ae0f6a3b794e745c

SHA512
ceebf6e57782034ae7ed2794070b4f82df5c7831ef77a1240eaf4bffb2e47493b31e09a4d4fd3df0372d50c27ae786182c035cc21c8f1acf2935e957517a48ae

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
8e7d5f227c4a1760ba49c57dec16eb16

SHA1
1d005e4492753155fa64f75fb9f56cbdc264cbcb

SHA256
fa6e54714cb171d6ba4818a4fc27d7e14f048e16689611a5e6fe8e9db4a1486c

SHA512
87085ecb95eb142ec9c5fcbda46b96994d9737498663b08e8349cefae2474de88260d8b38f82686eef729e1c85f73216bf13420ff428aa41781e7d8635305e6d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
765KB

MD5
f68f87f6c3a703b0482defcb8a9f5666

SHA1
26a01b1ead3f5c93d023f16dc8fcab4adf5a59a8

SHA256
233d3470f69c51d4299fd763c4371aa7a1a915a7b569fc150509230e9cc00c75

SHA512
f79d96ba431000d9155f4e6ce0b74c371e432e454b39055fc689f763ec529c5a77c2db1ca92707e9096318ac4f17cb94dc04f5ccc67a064a6e1b91c768302d5f

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
5ea4b43453232f34232a9ed124f920ec

SHA1
bb83ee2ec75710b573d90e978eb4ae1548e5d652

SHA256
c6d59694b5e99aaa9c74cc6ccc7be6b7b2a6c74a36af63eca33735ea41ac9e80

SHA512
ecd496e1cfe9f8026093e0b4c6273ce5440417bc7047a8de718dca71817e40f23bdf277a89af914934e68aac2f803ebfc231ba01ba9ad4cc09f5c86dba61c20d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\19c82f6ec272700a4a20a3fc670f2dc4\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
0a805eb7ae75e16054d0609fdca01975

SHA1
c10d9793140ef3aa503dc6ce8bda5978f6e4eee9

SHA256
6f9d20c03c269fd0edde3823971b3b8d4ba010aeb6315e6f722bbf6c076e5af6

SHA512
31d0b674d16be65968e94ce20f6624d8814be4efb258dd5823eb35da0dfa94d7779a30a7beebc6446d7a7bcee19430f6e16a92708318afd9f9802fb834a354d8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9904ebcff377abf58499c40929ae6db4\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
68c06d7d558b12f1aa57093ddce38b1c

SHA1
9278aefc53bf283891378aba67446664dafbf7da

SHA256
3c08b1b72f37b297ef74a616da39a2d6a25fc1377e0724eddc0381d6243327fa

SHA512
8198b853857d75188868ec4cdf255df2453488b6d38b20ff57f51030ae67b8e58ac2f419f0bf3d20da2ed00d44bb5194449503c86098e020c9b3f3760b74c4f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\da9425b1ee4b68a1dbd4c20b3f5c52ac\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
93585157217973d1939821d50314eae1

SHA1
1854f14ee4c6ef44599b2eb503418a554365adc1

SHA256
fa937eb037dbe041dd1b487db6e5ceb7dc0369db5c91426f8b9f67dc97560d13

SHA512
50c049065f8d484f98856595f8145fdf1516c19e01e6f8323ef0eb5765936dea79990859564c62b286b8539602d5749da72e6ca351cd6a5e57c965ecc5a8f0f5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
b82a0ceb136d717ce6ee48944d8cceac

SHA1
af7fcb6bd40d7df069d1b778093aa79709603d5a

SHA256
e92109aef668fe3a6cc5c024f7b1a58a09ee497251a557055f073675c63d0b44

SHA512
5b5840014deb73d2753e15f12ad517629e9057cd967c45c160a766a6148e37eb72305194b0d7c5889ec176de0490ef7cd6e871c8c8a15a1637254d6a2cbfad66

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
041f6f4c947afb777ace39147021795d

SHA1
599d7779ba53cfc82044906a6ab7fa13e626da21

SHA256
db54a6c20f0d16c5880602939013a342885c214839711a4df2896bcb559ac959

SHA512
7c0165f7d361f7798f6a29f4f7bb26dbd4ffef17134f0eb835c84f5d7684216570e9097e18e14d9626746646632c8d9f6ba791f9877ae6f7158d1a9b1bff9110

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
5f535301e718a4ca2979e54d57167ebf

SHA1
d93404829b05aaf747ed83db73411c0265b3b3c1

SHA256
10d85fa425d45c45c735893060acedefac261eed4910429deff6a6bab8912eef

SHA512
5b5047d09764ec21f41c2a3e4012ac21a5088941c6a9e06f83479ae7318b8cea37fc8b125824201a6e8cc77e7e290a277be2244ded2521a0ebbcfa5f57ed6804

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
4c05f24ebc70a1308ace847268ef87e6

SHA1
4800db74e42653169431e80a79ddd0b3718e3661

SHA256
2dda1a3410a8f7ed3cae371174653fb4beaabeac896f8c24e37bef2e6714c033

SHA512
6ced3d61b53e9e42d9bc5855dc87a46332152bc92f75a3a097f91fa41f76461e0df2e1523ace65831895724b8e59d600c54c72805dae8405455a04b2aa475871

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
cdcc216a2273293fb2b17a17e5ec45f6

SHA1
ab902a88da4232a4f61a38d1afadd7da57d6e46e

SHA256
1dcbc45d89c699aa4a7e11140d08502ea54a41c53e41c833595fdd0e3332db1e

SHA512
9e61f4feae4e505edf9b2f4e9241e35d47d5d05704effa9a8fef91e514791ccbae66a54979d71da3117676c6656fd792cd235d2f2cd6232ee1de229f7cc24589

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
7fa3bc99cbcce02d233a9941e5f3d413

SHA1
f100bdb91804257a24dd6946f6719c2a2a0891c1

SHA256
1e5d496b03c9f7c576bffa7770311fa2e5f7004ca7884831ab26a5f02a451569

SHA512
51a3061fb8598821610e384f65497422c3f6caf336ccd7b9df35b2f5b756c4aee05a7451670ddca3325b1a5d6d43dc0b874ddc39146319e3b2a9ebb7de13abac

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
8a8888351b050f253d6c46f255b779a6

SHA1
be325867376e3b9499c159887c11f374e29ba32b

SHA256
0ed6bce68a9dd2c4d1173acf4a483ddffeca05c80a62a155044e9aee243bc695

SHA512
1642a6cb65f5023c9f06373547e49bc0434bd4d4ca57d61f26b8aa2231d974970c6dec2c22d087988cbeddd5f8de6a4e8bdba0a4bf5ea83a3f6e41773649caf9

Download Submit
memory/240-608-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/240-590-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/432-699-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/432-678-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/524-246-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/524-220-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/528-293-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/528-542-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/560-591-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/560-319-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/564-188-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/564-69-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/564-64-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/564-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/696-469-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/696-259-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/800-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/800-569-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/852-304-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/852-281-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-450-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-330-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/920-306-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/920-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/960-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1252-624-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1252-610-0x0000000003C10000-0x0000000003CCA000-memory.dmp

Filesize
744KB

Download
memory/1252-605-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1312-251-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1312-152-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1400-183-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1400-165-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1488-52-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1488-44-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1488-51-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1488-46-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/1488-83-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1548-572-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1548-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1548-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1552-130-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1552-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1556-270-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1556-171-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1580-471-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1580-496-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-492-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1644-271-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1752-334-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1752-623-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1792-103-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1792-109-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1792-198-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1792-102-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-452-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1816-256-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1836-535-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1836-544-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1976-36-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1976-30-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1976-35-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1976-80-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1976-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1996-473-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1996-453-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-223-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-180-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2128-503-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2128-275-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2196-681-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-663-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-634-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-641-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-142-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2352-190-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2352-192-0x00000000005E0000-0x0000000000692000-memory.dmp

Filesize
712KB

Download
memory/2352-280-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2352-292-0x00000000005E0000-0x0000000000692000-memory.dmp

Filesize
712KB

Download
memory/2360-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2360-717-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2404-539-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2472-252-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2492-235-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2492-289-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2544-129-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2544-25-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2544-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2544-17-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2608-85-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2608-93-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2608-92-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2608-191-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2668-122-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2668-116-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2668-218-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2668-115-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2712-114-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2712-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2760-91-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2760-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2760-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2760-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2828-253-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2828-333-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2852-206-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2884-500-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-494-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-622-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2920-637-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2944-221-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2944-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download