828839f161b264414a595b666347fd55157c4e37b5f181f60c17943164d5695a

Analysis

max time kernel
132s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
Size

1017KB
MD5

135ecd9629aaf6ade5b24eabffc12913
SHA1

2c01092017f250cbf10de1f127ded183558e8ae7
SHA256

828839f161b264414a595b666347fd55157c4e37b5f181f60c17943164d5695a
SHA512

76d79704513d830e2421e15931559fb1ed198e257f0d28037ce5d9cc5a7712d3e016fa28f3c3c78f8478a8c529177710f15d99b258525fdc04b20ec48dab136c
SSDEEP

12288:d2lWRPhhA9PRWg9b6JvY67VMBNO/aXpXI22+VufvdIOKek1h4TA8bXQJYe:d2lmh4R36J17W8CX32+KJNA80T

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2924	alg.exe
2656	aspnet_state.exe
2900	mscorsvw.exe
2480	mscorsvw.exe
572	elevation_service.exe
1644	GROOVE.EXE
836	maintenanceservice.exe
2180	OSE.EXE
1964	OSPPSVC.EXE
2232	mscorsvw.exe
1904	mscorsvw.exe
2784	mscorsvw.exe
2868	mscorsvw.exe
2476	mscorsvw.exe
1680	mscorsvw.exe
1796	mscorsvw.exe
2064	mscorsvw.exe
1132	mscorsvw.exe
1912	mscorsvw.exe
2016	mscorsvw.exe
2164	mscorsvw.exe
1744	mscorsvw.exe
2996	mscorsvw.exe
2160	mscorsvw.exe
2072	mscorsvw.exe
1468	mscorsvw.exe
2392	mscorsvw.exe
1928	mscorsvw.exe
3044	mscorsvw.exe
3048	mscorsvw.exe
2812	mscorsvw.exe
1388	mscorsvw.exe
2024	mscorsvw.exe
1052	mscorsvw.exe
2600	mscorsvw.exe
2424	mscorsvw.exe
1728	dllhost.exe
1772	ehRecvr.exe
1332	ehsched.exe
2188	IEEtwCollector.exe
1608	msdtc.exe
944	msiexec.exe
1136	perfhost.exe
1596	locator.exe
616	snmptrap.exe
2456	vds.exe
2072	vssvc.exe
2868	wbengine.exe
2424	WmiApSrv.exe
3056	wmpnetwk.exe
1604	SearchIndexer.exe
2224	mscorsvw.exe
2396	mscorsvw.exe
1760	mscorsvw.exe
2916	mscorsvw.exe
940	mscorsvw.exe
3020	mscorsvw.exe
2084	mscorsvw.exe
1676	mscorsvw.exe
2516	mscorsvw.exe
2604	mscorsvw.exe
2916	mscorsvw.exe
2780	mscorsvw.exe

Loads dropped DLL 55 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
944	msiexec.exe
468
468
468
468
468
756
940	mscorsvw.exe
940	mscorsvw.exe
2084	mscorsvw.exe
2084	mscorsvw.exe
2516	mscorsvw.exe
2516	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
1340	mscorsvw.exe
1340	mscorsvw.exe
2576	mscorsvw.exe
2576	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2628	mscorsvw.exe
2628	mscorsvw.exe
1956	mscorsvw.exe
1956	mscorsvw.exe
992	mscorsvw.exe
992	mscorsvw.exe
1548	mscorsvw.exe
1548	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
2476	mscorsvw.exe
2476	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
1152	mscorsvw.exe
1152	mscorsvw.exe
1936	mscorsvw.exe
1936	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

Processes:

aspnet_state.exeSearchProtocolHost.exemscorsvw.exemsdtc.exe2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exealg.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ab6ff9c2ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemsdtc.exedllhost.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP11AD.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP255C.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2FD7.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2A5B.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP23B6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP225F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8CAC5F26-D712-4435-8A07-89D1BAFE358C}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2CEA.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

wmpnetwk.exeehRec.exeSearchIndexer.exemscorsvw.exeSearchProtocolHost.exeOSPPSVC.EXEehRecvr.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0839049f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005011634bf7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C4A1AFA1-2D8F-41CF-AA4E-81F4E38F8C52}	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2256 ehRec.exe
2656 aspnet_state.exe
2656 aspnet_state.exe
2656 aspnet_state.exe
2656 aspnet_state.exe
2656 aspnet_state.exe

pid	process
2256	ehRec.exe
2656	aspnet_state.exe
2656	aspnet_state.exe
2656	aspnet_state.exe
2656	aspnet_state.exe
2656	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2772	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeDebugPrivilege	2924	alg.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2656	aspnet_state.exe
Token: 33	3048	EhTray.exe
Token: SeIncBasePriorityPrivilege	3048	EhTray.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeSecurityPrivilege	944	msiexec.exe
Token: SeDebugPrivilege	2256	ehRec.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe
Token: SeBackupPrivilege	2868	wbengine.exe
Token: SeRestorePrivilege	2868	wbengine.exe
Token: SeSecurityPrivilege	2868	wbengine.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeDebugPrivilege	2656	aspnet_state.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: 33	3048	EhTray.exe
Token: SeIncBasePriorityPrivilege	3048	EhTray.exe
Token: SeManageVolumePrivilege	1604	SearchIndexer.exe
Token: 33	1604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1604	SearchIndexer.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: 33	3056	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3056	wmpnetwk.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2480	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

3048 EhTray.exe
3048 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

3048 EhTray.exe
3048 EhTray.exe

pid	process
3048	EhTray.exe
3048	EhTray.exe

pid	process
3048	EhTray.exe
3048	EhTray.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exeSearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2772	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
2772	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
2772	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
2080	SearchProtocolHost.exe
2080	SearchProtocolHost.exe
2080	SearchProtocolHost.exe
2080	SearchProtocolHost.exe
2080	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe
3016	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 2480 wrote to memory of 2232	2480	mscorsvw.exe	mscorsvw.exe
PID 2480 wrote to memory of 2232	2480	mscorsvw.exe	mscorsvw.exe
PID 2480 wrote to memory of 2232	2480	mscorsvw.exe	mscorsvw.exe
PID 2480 wrote to memory of 1904	2480	mscorsvw.exe	mscorsvw.exe
PID 2480 wrote to memory of 1904	2480	mscorsvw.exe	mscorsvw.exe
PID 2480 wrote to memory of 1904	2480	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2784	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2868	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2868	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2868	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2868	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2476	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2476	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2476	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2476	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1680	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1680	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1680	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1680	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1796	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1796	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1796	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1796	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2064	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1132	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1132	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1132	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1132	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1912	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1912	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1912	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1912	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2016	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2016	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2016	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2016	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2164	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2164	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2164	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2164	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1744	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1744	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1744	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1744	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2996	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2996	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2996	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2996	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2160	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2160	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2160	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2160	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 2072	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1468	2900	mscorsvw.exe	mscorsvw.exe
PID 2900 wrote to memory of 1468	2900	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 1d8 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 23c -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 28c -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 248 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 28c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 248 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1bc -NGENProcess 1b0 -Pipe 234 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 258 -NGENProcess 230 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 248 -Pipe 1bc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 210 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 250 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 230 -Pipe 210 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 230 -NGENProcess 1b0 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 278 -NGENProcess 24c -Pipe 22c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 230 -NGENProcess 1b0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1b0 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 288 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 230 -NGENProcess 290 -Pipe 1b0 -Comment "NGen Worker Process"
2⤵
PID:1108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 29c -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:2476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2ac -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
2⤵
PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ac -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2c8 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:1028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 2b0 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d0 -NGENProcess 2c8 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ac -NGENProcess 2cc -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c0 -NGENProcess 2d4 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d4 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:2600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2cc -NGENProcess 2c0 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2c0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:2460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f0 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2b0 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2b0 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 30c -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f8 -NGENProcess 314 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c0 -NGENProcess 318 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 324 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 2f8 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2c0 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2fc -NGENProcess 2f8 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 334 -NGENProcess 32c -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2ec -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 32c -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2ec -NGENProcess 348 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 34c -NGENProcess 32c -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 34c -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 32c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 350 -NGENProcess 35c -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 350 -NGENProcess 358 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 364 -NGENProcess 344 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 36c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 360 -NGENProcess 344 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 30c -NGENProcess 368 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 30c -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:1028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 360 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 35c -NGENProcess 358 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 380 -NGENProcess 338 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 378 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 384 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:1744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 360 -NGENProcess 38c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 30c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 394 -NGENProcess 388 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:1100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 360 -NGENProcess 39c -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 378 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 3a4 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 364 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 10c -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 35c -NGENProcess 3a4 -Pipe 108 -Comment "NGen Worker Process"
2⤵
PID:1676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3a8 -NGENProcess 388 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 10c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 35c -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 364 -NGENProcess 10c -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 194 -Comment "NGen Worker Process"
2⤵
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 10c -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:3020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b4 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3ac -NGENProcess 3c8 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 35c -NGENProcess 3c4 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 10c -NGENProcess 3b4 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:2224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 3b0 -NGENProcess 3cc -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d4 -NGENProcess 3c4 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c4 -NGENProcess 10c -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3dc -NGENProcess 3cc -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d4 -NGENProcess 3e4 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:2984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 35c -NGENProcess 3cc -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3cc -NGENProcess 3e0 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:1780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3ec -NGENProcess 3e4 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e8 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3cc -NGENProcess 3f8 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d4 -NGENProcess 3e8 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f4 -NGENProcess 404 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 10c -NGENProcess 3e8 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 408 -NGENProcess 3d4 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f4 -NGENProcess 410 -Pipe 10c -Comment "NGen Worker Process"
2⤵
PID:440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 404 -NGENProcess 414 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:1860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 414 -NGENProcess 3fc -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:1260

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3fc -NGENProcess 410 -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3e8 -NGENProcess 3f8 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 420 -NGENProcess 404 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:572

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:836

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2180

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2600

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2424

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1728

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1772

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1608

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:476

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
e93856367c1947817d139efcf0e2b2f6

SHA1
68d5f2f5c8b5c3b5fec7e7fd2714687730b0c51f

SHA256
8b8f89477f6dff19cb1e97ddc674fd0a5789e22af5ab755116a29a02a04c4328

SHA512
58852f5f1095e3d8e027cf5431fb9578fc593efa04936b70b6a89f2880a75b1b2449dceec96f1f4e3724f3d2953338fd6e9f08c62c67906505c558e9ea01a492

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
6c0e4a3ca3544f642290037c8466c3c8

SHA1
2c2d32c0d17ea63dbde13e08fa614710695520e2

SHA256
9d86cf4cd95c6c35860631055d13e52e2a355a0909f871e1afedce4c75dc4807

SHA512
999475c78edeb9f81ba2eec8af2430c9815a9f3d5a5e41b881dad108f382a92defd3b79bfa60f36e1863bb39be1605ec914ce0eb96d712814b116150541a58af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
7f6d508ebec880ef52ed959ecbc17d6d

SHA1
40e2f649f521ecaaa5f0f94ac290045c5bbdccbe

SHA256
aa5dafc7c16cc49551b91980c8946cfa1a57a81d5b7e6c910a678dd6eb82564d

SHA512
1fe92505b58a8f576cca7bf65e550655ecdfcf12b7d29adeebfebdae6ddcfa50823c9108e5c5361510469878ae59db612aed459540b93249932a486589650dcb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
bc20a41efb30e17bca2116cd9064b103

SHA1
be6681ce7497633e5aea9d91c852545676afd752

SHA256
b38a212c51b137d552039a976a3ba1049f76805e3432eb731f810d33c5d42897

SHA512
4f6fa7bde442fa1283890b88a152c6173b67cccaa95f72029305cf017791e9a1907df417cbce3f726b32f75f5f48de22d2a69f58c36c9c839086c889f9bd304e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
d965a5e44252045d375421f5b8f6477e

SHA1
47235815b51d2c64182abfb64482385d7f87ad8d

SHA256
5eee07ba1e1a9399e28e38b7c1878614cab2e1a1e5515fffa939f2233dac875c

SHA512
723e29ab489971dad1edb50fa8117a425b21af1f485103ee579af44823383afc97f8672390484c00fd4a9fdc9c826d6b1fc71cbdf69cb193bd519ae09abae880

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
f551b7c49f031af71ee4aa25638b5b0a

SHA1
0197abbc46b9c10069e66cafd670880af8dc8bda

SHA256
52924a742c4284669ac2d34f6cc7852c108c2c94f92ab0dab8913afead1f74c2

SHA512
a73e50f32c9c2bc8379734c20d9de5665028c426989090150dfe42c435e016cea2f1a30add42f8d85f8744d50cfba8c16d29009795fae03e9c2a2e2fcc163be9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
8e15833ded5e1492d53d640cd7dfb85b

SHA1
335735891096445e20e125f9a18504be2f429451

SHA256
230b2ae43b281a68f49fdff9ebfd035d4235378777135c111535f1d136582a5f

SHA512
32605182e580b9378fe0aef31f74880ee3a2a5bd939a95cfbf4bf9e575771948d4a23604da9c0e1c49a519095ef3221ada93369b56c42434044887466f7a0ff0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
34039d5124b9f8c4d4d72b4158222ddb

SHA1
5f2a44b5453c0353b14128678851bdfac5374e8e

SHA256
7a248241f4237ec642e495062a9e82e413bf0f3b67459836046bc60fb31a875d

SHA512
686bb8acb51cfe3a11f7fbb986120b0b31c34a52afa4a996145dc9f9a98ee78943261aea4db0211ffc2ebfd7e58a8d29283a501606b34f1c6f78296368e735c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
274438fcb1d3410fbc4e403e3156949c

SHA1
676139c2aa07d0e7d4b4c5eeef0ab71af4a06a84

SHA256
95df09b2b9505ac9181cd0731f075b5e7710d63b42986baf4a4e137ed8b3e0ed

SHA512
ac521c64d3dcbfb44badff5b94a775b609f4b99868c5bc46318cf1f1d76074c764f061d1b56af4b6117e23ca4cf6076b00f08be779b6ba49b1654c17245db130

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
b292e9db475011315b7c88f1762a27af

SHA1
9fa89a0afc23517ff6875176eed1abc696a26b9e

SHA256
d3748992d89e82e9f21eeb6ddf1e39affa0e5baf876b37d0145e54d405dde914

SHA512
6f7524c646aeef8977cc7bae6685e69e391f7ac071118f2cab71b853a9401af23e03290ca53b9544821c909e5501318c1a3b24dae112b5965cbdf80875b48673

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
e1ce5b30b8e1647aa9a502032b94a54e

SHA1
082ee5e45b888a15db6d10ac9e295af2c83bb888

SHA256
1df64ce48dca1b3874ac3da15bb4b8de502dbece58102051d6976799cf2c9e84

SHA512
688c6452093c1228a17bc3c414549938f06d487a047e47ef0100d5c2d49d492fdcfcf2453aff370a66aa245d1041cfa93f3e03cfd42921fbe66f20fa562dc986

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
bb8578317f0d6bf576bd24278feaba91

SHA1
590e0cc5857b1d1651420323a1f00b91edb8f389

SHA256
2d8610fc6e87c8137b4060bad743e94e9712e232e582ec0b815be4acb778112a

SHA512
1929dd130d89c8b28e3a2f4d22302583e7f7c8541e48f840d6bb464c180424ef6f180a50b1e9cc8e9eb44ec879f68f2370e8b4d98caf3097a7f3e404c20efddf

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
cbd55083afa6fcab12f105ad59587499

SHA1
2bb5dcb235a3bc4860e575b7f55c7665be4e013f

SHA256
307e59fe4561e22ffc3937d8148d1a677d93d205e09e2d09421af15393f43ed3

SHA512
47e021784838f7e5e91a1e0c969db4364f58bd281f1ec41f6e1535dda7b5b41f5a9379eae6639e282ee18d22d79d21e0433bf9fccb4ca04a723cde625baca819

Download Submit
C:\Windows\System32\Locator.exe
Filesize
577KB

MD5
e50fdc5dc8c4c53a33267bd5e235a520

SHA1
60c98cd47be790f8c20cf1b36b461b145410469c

SHA256
a10bad90e3b468bb4b65e87522e65ee5b30724c3067886df7aa7338f5d5ee6c9

SHA512
cb39abaa778171a46d3e2d699129a06ec038a35b096ef03c19698d8e8df0b57f5ae99dc27f8fad8886cde1552d5ac3f27d4f81d9f1887ce688e0e1dbcf795d0f

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
577KB

MD5
51d3d05b6b264d1236237cb182648965

SHA1
bc3cdbb529090e7a118e9727886d92fe2755abb7

SHA256
8b50857134b1a444390f90b5374cd6036fbf259b1f14fef8ba142174804a8f6c

SHA512
41cb51b537b433598d63f837982be60afcd573fdd58a25f10d94a0328a7c2294653f28ea4a93a44ebb75d47e2ac1cc9218923aaf43e7fdf325d0a0fc9bb8c719

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
10d53071eed7bec87b26f0ac423760e3

SHA1
b1a4d4e55a2c93a10b517ee65501990bf35b08eb

SHA256
49766adf25c4af2e54be7f2c2d57dc2fa48dd07cb8013ffb5a12efa0d50337af

SHA512
3bf9ef9d3a7f9845404a329872e306c860aa4457fd6f48915246658298354c67a7e00bc303722e4e30fafc72575d770e76646c741d16c51b4b77c8e712628f54

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
bb9af28aadee5494770df787e6996cbd

SHA1
d6b226e7c74c54da1e06b758cc65851dd2f5ea28

SHA256
bc3ce9db8b4f589fb2278c006984d0e7113d621da17a75f9784cb039dc1aea75

SHA512
62031129bde1254996cd6eb839465cc27ed275d28ad10f115728e1a4beb010ce069b26ba1c301f5d56632ed1498913af703a705131e6122797ebf2ab91f940d9

Download Submit
C:\Windows\Temp\Cab99A1.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9B48.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0621c33130c0e98b8f4770e9e8279cd3\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
38425c1761f6d1127712207d827626aa

SHA1
94bf1efa5ad9535661892c448541a9057954f74c

SHA256
562a542507a2771f9ed75c6ac2aea5835da7370486903b67f7175f8d517aa49f

SHA512
6f0e4b330f3e75324a1fb0f430efe7a98ef6c8ab4cf46eaf38cfcf6629f02511629527530f79c5861d506f9e6eee9dcf05f168d22b7f017589732a639e42ce05

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\64c50aa67ae43c717f4ee68f6925a4fb\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
6afe267fdfe0d71ff0cc3afabca8d4ae

SHA1
6f6b1ce108095479965574ddda0ebaa1bc2854af

SHA256
5d2f5397ee5375c7dc0d68a6b9f61ccaf68623d0abdac8f8b780e9f30ce38a66

SHA512
b305c568d54bf72c9a6dc1f82419b64d5682cf89999e821d2eb655164e88f8b28b48ac3c7bd6ead1400564bc35c180b6e6a490c5fe69d63afecd76f33826a9e6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9a36373f175be21bdd3db61c5c022c34\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
2987b99153f2c03d07a63e67ebb84c6c

SHA1
6ec9a2b44520581b45c0c015354e9dffbed468ec

SHA256
d064f6153785a1cf61f951575a4041d66a79e1b546a2b0f651f359504fd930f1

SHA512
e2272e8ac405e3a7c7ad813b1c0f75a0fd6ff0fbef026988769b2c8d8bb89107dde905d1441f5744c829f83124383bdbb83addd5575796116a0125893d68b268

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd6618bad35efd4925e6e5a593278207\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
9bc84d7a117ee35d124c5f3d3c2ace65

SHA1
3a34881b31b7e08a146ea4e73fb2cbe1368adc18

SHA256
413062043d79591971927fcf3955462f2337bf7dc1f3ee16aea3920dd7cbc5e2

SHA512
4229f9b7b56ecf1cc33635406755af54bfc5e24ec3cdcf475ca1c55b995d85cd4b516f47e0a43492da5f128a13b26140c8718016369fc5b69276746cca3ba9ff

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
b09da7d341dab783f617106df9892f1c

SHA1
2ac630c498f447d98cd191785e57b1c3eb6044aa

SHA256
8c99483ea14d8627db37137d8f58c2aec6bf51539dd5576cb9e8af49cd7e2f26

SHA512
97c137173cf4200c6deefaf0ec0f4e561ebc932a7fb8ce1a85de495c4e31989e8ea07f4d9c1d6e0288844ca9e641f5c64bd36a76afa8fdc47fa6985c5a5a192a

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
e9f0fdbe6ef68a7da0a34fa29c40a15a

SHA1
bc487a0fea15988da0926e682bb5c49913c9b248

SHA256
152c13c8b09f7b7066fbd8183e3b250610fd51aa8ac38e9b6473100ca57e04cb

SHA512
104f88b04fd599d767234a93857f3013e93370eff76b42a0811c3d79a9b6d2d792b968e7a75ca9f62af182a66a5f3de27fce8cf4185ac1b92f285c610cb1fb0b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
72b1c303c2fadb980a004aa779078dcb

SHA1
3852956f13b2b029c6a2299cafa4bafadd2636c0

SHA256
96b33f07d61ed66171e99e63af1dac39497dd50cb10b502224c5e37f3e92f3e1

SHA512
2495fa31beda21fe8bada98ffcc983efe61824e0487b1d1bfca2d327b0c455bd899636ad3fda5ae27ef1090bb55df16913f6aaeb3a5d9e1ebcfc3f809f81c84e

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
8add6bff431bc6f0d82d78010d51400e

SHA1
4725415ef2152913564a4cf4611655638e518409

SHA256
692287eb680a5f94f1cfbaa808f72422665658ef31f9e1b231596b785a852a20

SHA512
6ee5507f86b42ec5969a6a07ce10dc68d962fab4b4b0e3aacc2dc0c814cba458e9894d77467bbe26661af909c1be760c07906c1006c96c89b89fa68df3b90c89

Download Submit
\Windows\System32\msdtc.exe
Filesize
705KB

MD5
557ab41137393dbb9315e620126ed3da

SHA1
f29f3d426e6fafacf1c6bc7e9913802ba59b6f37

SHA256
759c3a6f0eeddacdabe427a2b765d41d7b59eea073218140206078f9f3fa1bae

SHA512
20df7ca01606e3e9c57686711f7fb1e6d224398073e2c1536c015218eba2c2db87a6d257400acbc55ac3ca5ae5c5cbe1be1c4f968e793a8f6337a0320ffdfcc2

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
c6cd45e98698e5053ccfbe6c9c7e1100

SHA1
94255c0cc5f227ae2224e3a98fe42af8cce22c34

SHA256
bb048b32d26ad62f2576512f22e6385470a3ffed9ae36809ee700067929b366a

SHA512
66cace64462fca0fdda7d1901a69142fe64a313818c0ad6ffe169f068b31853c414df189941752310510c8624f4178851834ceaa6408eec8cada8ce8a5b74008

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
290de62a95d79fb2e665258b3be88eb8

SHA1
371ddadde100e4b485e6c0f487958662c2cc2e00

SHA256
985cdf878e1d010619ed4e7dc5c0966498127d302a02c909438ce1300955dd90

SHA512
444eb40d04c38bc76e52022badefdb58a4a70691cc8387377333f6e1da6f17b6c9ff77c7c31527fe2877b87ea87770e078f044908b78c1b85184dcc1404e050d

Download Submit
memory/572-68-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/572-337-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/572-69-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/572-75-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/616-906-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/616-731-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/836-88-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/836-97-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/836-101-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/836-95-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/944-692-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/944-703-0x00000000004E0000-0x0000000000592000-memory.dmp

Filesize
712KB

Download
memory/944-800-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/944-894-0x00000000004E0000-0x0000000000592000-memory.dmp

Filesize
712KB

Download
memory/1052-580-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1132-384-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1132-402-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1136-903-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1136-708-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1332-765-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1332-651-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1388-566-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-486-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/1468-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-490-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1596-905-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1596-719-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1604-809-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1608-797-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1608-679-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1644-96-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1644-84-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1644-341-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1644-79-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1680-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-743-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1728-623-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1744-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1772-754-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1772-639-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1796-370-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1904-297-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1904-261-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1912-416-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1912-405-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1928-508-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1928-513-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1964-123-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1964-378-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2016-419-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-577-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-565-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-379-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-393-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-485-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-931-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2072-755-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2160-471-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-438-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2180-356-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2180-111-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2188-672-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-778-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2224-928-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2224-913-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2232-264-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2232-242-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2392-509-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-940-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2396-927-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2424-600-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2424-779-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2424-635-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2456-752-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2456-926-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2476-354-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-342-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2480-317-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2480-58-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2480-60-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2480-52-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2600-586-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2600-620-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2656-28-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2656-35-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2656-207-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2656-29-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2772-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2772-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2772-12-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2772-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2784-313-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2784-328-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2812-552-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2812-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-340-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-774-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2868-323-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-951-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2900-252-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2900-45-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2900-40-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2900-39-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2916-952-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2924-104-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2924-22-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2924-16-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2924-15-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2996-460-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3044-531-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3048-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3056-799-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download