e0fa3ed1f36249f1ffb11b2d82d28cae466d6041939b3eeb59257293333d5bac

Analysis

max time kernel
146s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Size

1.8MB
MD5

132cb4ec98efb04f0d95c6b2b6e12db8
SHA1

552b78fb5bf9f36d80ba293628a6b3c0648817b7
SHA256

e0fa3ed1f36249f1ffb11b2d82d28cae466d6041939b3eeb59257293333d5bac
SHA512

4e69489859683a7b328cec595d3ab339816bf9e289228a558fecb93c668807e89ab49e826a405a32c096bfd775b4a268a35a9ac13a9ed0ecc553f297ebdec3a9
SSDEEP

49152:yE19+ApwXk1QE1RzsEQPaxHNgvu6olbnoQx1:X93wXmoKyu6otnoq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2448	alg.exe
2504	aspnet_state.exe
2392	mscorsvw.exe
2468	mscorsvw.exe
1512	mscorsvw.exe
2568	mscorsvw.exe
1480	ehRecvr.exe
1960	ehsched.exe
1096	elevation_service.exe
3012	IEEtwCollector.exe
3048	GROOVE.EXE
2740	maintenanceservice.exe
1332	msdtc.exe
2708	msiexec.exe
2188	OSE.EXE
2320	OSPPSVC.EXE
2924	perfhost.exe
2368	locator.exe
2268	snmptrap.exe
2476	vds.exe
964	vssvc.exe
2616	wbengine.exe
1276	mscorsvw.exe
1044	WmiApSrv.exe
2104	wmpnetwk.exe
2768	SearchIndexer.exe
112	mscorsvw.exe
108	mscorsvw.exe
2896	mscorsvw.exe
2312	mscorsvw.exe
2380	mscorsvw.exe
1828	mscorsvw.exe
808	mscorsvw.exe
2632	mscorsvw.exe
436	mscorsvw.exe
916	mscorsvw.exe
2712	mscorsvw.exe
1472	mscorsvw.exe
2804	mscorsvw.exe
1052	mscorsvw.exe
1828	mscorsvw.exe
1832	mscorsvw.exe
3060	mscorsvw.exe
2232	mscorsvw.exe
1732	mscorsvw.exe
2236	mscorsvw.exe
3000	mscorsvw.exe
1580	mscorsvw.exe
2804	mscorsvw.exe
2464	mscorsvw.exe
3056	dllhost.exe
2360	mscorsvw.exe
324	mscorsvw.exe
2744	mscorsvw.exe
2488	mscorsvw.exe
400	mscorsvw.exe
2016	mscorsvw.exe
1696	mscorsvw.exe
960	mscorsvw.exe
2180	mscorsvw.exe
240	mscorsvw.exe
2068	mscorsvw.exe
932	mscorsvw.exe

Loads dropped DLL 57 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2708	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
764	Process not Found
472	Process not Found
400	mscorsvw.exe
400	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2068	mscorsvw.exe
2068	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
988	mscorsvw.exe
988	mscorsvw.exe
1832	mscorsvw.exe
1832	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2988	mscorsvw.exe
2988	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
2004	mscorsvw.exe
2004	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
324	mscorsvw.exe
324	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c828432ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\SplitStart.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2829.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPABD9.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA592.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP49BD.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP31E9.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D7B.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP46B1.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000206b755196aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2144	ehRec.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
2504	aspnet_state.exe
2504	aspnet_state.exe
2504	aspnet_state.exe
2504	aspnet_state.exe
2504	aspnet_state.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: 33	1552	EhTray.exe
Token: SeIncBasePriorityPrivilege	1552	EhTray.exe
Token: SeDebugPrivilege	2144	ehRec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeSecurityPrivilege	2708	msiexec.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: 33	1552	EhTray.exe
Token: SeIncBasePriorityPrivilege	1552	EhTray.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeBackupPrivilege	964	vssvc.exe
Token: SeRestorePrivilege	964	vssvc.exe
Token: SeAuditPrivilege	964	vssvc.exe
Token: SeBackupPrivilege	2616	wbengine.exe
Token: SeRestorePrivilege	2616	wbengine.exe
Token: SeSecurityPrivilege	2616	wbengine.exe
Token: SeManageVolumePrivilege	2768	SearchIndexer.exe
Token: 33	2768	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2768	SearchIndexer.exe
Token: 33	2104	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2104	wmpnetwk.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeDebugPrivilege	1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	1176	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeDebugPrivilege	2504	aspnet_state.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1552	EhTray.exe
1552	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1552	EhTray.exe
1552	EhTray.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2376	SearchProtocolHost.exe
2680	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1276	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 1276	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 1276	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 1276	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 112	1512	mscorsvw.exe	57
PID 1512 wrote to memory of 112	1512	mscorsvw.exe	57
PID 1512 wrote to memory of 112	1512	mscorsvw.exe	57
PID 1512 wrote to memory of 112	1512	mscorsvw.exe	57
PID 1512 wrote to memory of 108	1512	mscorsvw.exe	58
PID 1512 wrote to memory of 108	1512	mscorsvw.exe	58
PID 1512 wrote to memory of 108	1512	mscorsvw.exe	58
PID 1512 wrote to memory of 108	1512	mscorsvw.exe	58
PID 2768 wrote to memory of 2680	2768	SearchIndexer.exe	59
PID 2768 wrote to memory of 2680	2768	SearchIndexer.exe	59
PID 2768 wrote to memory of 2680	2768	SearchIndexer.exe	59
PID 2768 wrote to memory of 2808	2768	SearchIndexer.exe	60
PID 2768 wrote to memory of 2808	2768	SearchIndexer.exe	60
PID 2768 wrote to memory of 2808	2768	SearchIndexer.exe	60
PID 1512 wrote to memory of 2896	1512	mscorsvw.exe	61
PID 1512 wrote to memory of 2896	1512	mscorsvw.exe	61
PID 1512 wrote to memory of 2896	1512	mscorsvw.exe	61
PID 1512 wrote to memory of 2896	1512	mscorsvw.exe	61
PID 1512 wrote to memory of 2312	1512	mscorsvw.exe	62
PID 1512 wrote to memory of 2312	1512	mscorsvw.exe	62
PID 1512 wrote to memory of 2312	1512	mscorsvw.exe	62
PID 1512 wrote to memory of 2312	1512	mscorsvw.exe	62
PID 1512 wrote to memory of 2380	1512	mscorsvw.exe	63
PID 1512 wrote to memory of 2380	1512	mscorsvw.exe	63
PID 1512 wrote to memory of 2380	1512	mscorsvw.exe	63
PID 1512 wrote to memory of 2380	1512	mscorsvw.exe	63
PID 1512 wrote to memory of 1828	1512	mscorsvw.exe	74
PID 1512 wrote to memory of 1828	1512	mscorsvw.exe	74
PID 1512 wrote to memory of 1828	1512	mscorsvw.exe	74
PID 1512 wrote to memory of 1828	1512	mscorsvw.exe	74
PID 1512 wrote to memory of 808	1512	mscorsvw.exe	65
PID 1512 wrote to memory of 808	1512	mscorsvw.exe	65
PID 1512 wrote to memory of 808	1512	mscorsvw.exe	65
PID 1512 wrote to memory of 808	1512	mscorsvw.exe	65
PID 1512 wrote to memory of 2632	1512	mscorsvw.exe	66
PID 1512 wrote to memory of 2632	1512	mscorsvw.exe	66
PID 1512 wrote to memory of 2632	1512	mscorsvw.exe	66
PID 1512 wrote to memory of 2632	1512	mscorsvw.exe	66
PID 1512 wrote to memory of 436	1512	mscorsvw.exe	67
PID 1512 wrote to memory of 436	1512	mscorsvw.exe	67
PID 1512 wrote to memory of 436	1512	mscorsvw.exe	67
PID 1512 wrote to memory of 436	1512	mscorsvw.exe	67
PID 2768 wrote to memory of 2376	2768	SearchIndexer.exe	68
PID 2768 wrote to memory of 2376	2768	SearchIndexer.exe	68
PID 2768 wrote to memory of 2376	2768	SearchIndexer.exe	68
PID 1512 wrote to memory of 916	1512	mscorsvw.exe	69
PID 1512 wrote to memory of 916	1512	mscorsvw.exe	69
PID 1512 wrote to memory of 916	1512	mscorsvw.exe	69
PID 1512 wrote to memory of 916	1512	mscorsvw.exe	69
PID 1512 wrote to memory of 2712	1512	mscorsvw.exe	70
PID 1512 wrote to memory of 2712	1512	mscorsvw.exe	70
PID 1512 wrote to memory of 2712	1512	mscorsvw.exe	70
PID 1512 wrote to memory of 2712	1512	mscorsvw.exe	70
PID 1512 wrote to memory of 1472	1512	mscorsvw.exe	71
PID 1512 wrote to memory of 1472	1512	mscorsvw.exe	71
PID 1512 wrote to memory of 1472	1512	mscorsvw.exe	71
PID 1512 wrote to memory of 1472	1512	mscorsvw.exe	71
PID 1512 wrote to memory of 2804	1512	mscorsvw.exe	83
PID 1512 wrote to memory of 2804	1512	mscorsvw.exe	83
PID 1512 wrote to memory of 2804	1512	mscorsvw.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1dc -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f4 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 274 -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f4 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 250 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1dc -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 288 -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 288 -NGENProcess 2b0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 268 -NGENProcess 254 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 290 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 228 -NGENProcess 25c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 25c -NGENProcess 244 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 1c8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2ac -NGENProcess 264 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 264 -NGENProcess 1dc -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 1c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1c8 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 294 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 290 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 290 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 290 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2c4 -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 294 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2ec -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2fc -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2fc -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2fc -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 314 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 318 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2fc -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 318 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 2fc -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 318 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 318 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 388 -NGENProcess 314 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 380 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 314 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 39c -NGENProcess 3ac -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 36c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 36c -NGENProcess 3a8 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 390 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c8 -NGENProcess 3a8 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c0 -NGENProcess 3cc -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3d0 -NGENProcess 3c8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3a8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3cc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3e4 -NGENProcess 3bc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3bc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3bc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3c8 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:1992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2376

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
54ba7858e45a9519972a8f77e03a5195

SHA1
8857f13fe4d405975a38a8533ffaedb7e8d3fc17

SHA256
90288ef0206bafa7f274ecb14ad41cce972426fd9ab8954ddf5c3e9e406e7846

SHA512
e6400587a3a5befe5bc5dda1e9ba23c16a00ed986353b90f7b87b2e01367c68e2c3b909823e3cb4ad26122afc1ba6fbaf2955eb17cfcef044c52cead7f1e498b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
6.1MB

MD5
bcf5b387bcebf1f76894d68d1f0e1b94

SHA1
c61ceb82016a1876c9bd7fcb7f2ffabee7ea953e

SHA256
13df81772d30c031f0f2a0fd66c79f43952c304dc5a9e381dc4830cf148077da

SHA512
9af409fdf9e9db5ee7395a4bc62254f388664036491d436e62bdde07113287e14516197398a4b694986a6d4d8c27fa2d38102face94955af47752bea435d9b71

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e5c6347f82a2d27f8fa6a40b72f81b5c

SHA1
9dc22631476520a68185bc4c423237628aa7cb44

SHA256
a2ed538d4bf82b27d1ef7b6beae27250e66559f0f7609e878409c83405ff0511

SHA512
f541e9fe77b5c4c351bc65160a7b6a2ac479e61db58d0ab94848a42109cd563511d974dede17d77559510475193f772ae935a6caa42664c47a3e40a06164171a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
128730fb21bc063e1fc5a98037b8fd69

SHA1
7e5de145e289b5d35ba00a190039cb651a80abdd

SHA256
f374b49aef138453bd052a5f64c7e02aac363eb4dbfbd53aa149e9f8c9d28e45

SHA512
0c6a7d3a219cda312faf411023ad320d0ebd8f5527526f3fc733ca0f3fa67f6ae6e7c92cc53ccef381eaf706e0c526a734bfba70a46207982fc76f4c2a4685e9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4cfaf4dd1b2ba1de8d8d234ddd9338d7

SHA1
2e2b7e8e2a531e473e3ec0d4a51a5ac0c55863f5

SHA256
0a00d72348910ab96d97b8c5eb9287e7e1fe9ab40a3743fe037ec07105026803

SHA512
7d8240606c62e420bc2be00a621a1ecb7bbfdc95502bd09d83dd060a10990fc5531fdd2f1d7984209a84762429cfdacc6dfda145718206df5e56563ed1fada38

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b2e7db5f446b8f444bf4ff4b8d68302c

SHA1
fab9c4c2c0fd2c0ffd3753cce2bf10ebbe4015cc

SHA256
cd8b6f97c8dbf51376f8ddcc03322cf0e06ba5a76a46c144107e7249c97de45b

SHA512
ee73d0909917d72c9a5eb211cc041b208e51ce02a6029af254a0b46f5382b096a7c64e54c439d8d57ce35b8d2e3705a60ea24edbf0a2b5944a3f0838fd577756

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
fdcb52f26aac74611dce98a5cd0e0f0d

SHA1
64b80bf4df7b2c245b440058f6f1f6c5f650ced1

SHA256
d3592539b7e99b15b40753ef9f78f1bc64d6a5a8eacdaef8b8698d9ba5f1d3bc

SHA512
87f9aeebdcbb2698a664b8f8b5f7ba740f608eec3cc72746555f5f6b573952652a1750a3843d4c0265954e7b1622aab80d430fd11ddf325eb5b00eb1aac3f7ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
d25cbda17f6370ddae45c6e3b58c2cee

SHA1
b527e046e860adfa7200649c5f648c2ee3cb5eb1

SHA256
95db116e4a1da35db185266bd9d638583a71374a7083a552635af3ba2db82f8e

SHA512
e27f3e2ccbefb662039957656468726f598cf92e6f2795200bc7c02f56ddedeca1c0bfa952aeadc8514a0224b9e489dc35ca8c468227bcf2c5de98854456c183

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e772bd2e6064fe6e5d27dc88abe33b69

SHA1
8a86c5aa58c42a065b9390830f730ac7880a2e36

SHA256
dfdd57a3901ee8515b4f657c25d948f07d52e5afa33764f8e6df2ae5b99ee08e

SHA512
29b3f8e80a82d80221a89fe407282e212b9b75233377c6543e3f4c1f6784e936e2dcab1b74b1ca1a08262ed47c9ec4e6b1bc19f81113ed18ad62ec7cbd368592

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
8b5875be1c7951fc22e029b7a6602165

SHA1
8184f660256468d1bdf8c27c423ea56f5735c1a8

SHA256
5eaf98ce5b222ffa376c471436f02dd9961f5085f460afd52ab08c0c82b2a0dd

SHA512
7423e2bf12a179a9ec15494d00267769d68d9fd004b4d591205f1e9bc408f4cb0dfc3e396257772a789c26a1f37a2b64ff46dbcca475fd01710fbe5c62c84596

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
c5ff5148cdf0aa4b230bb077738683be

SHA1
fa1124c6ee323e25618cbfea2034c8238e3f9b2e

SHA256
e9fd1f5eef25e1c92f04378019edb1061cec9f8e086bc04b7e848318178e385d

SHA512
5741c5eec4868f591f2f7b96d4b089a8b67916b3d02116eaae0adeded9948f01d8ec6852a4b43f90767e7a0473e773de054cda4e9a01fd2fd73d1de771dbae3a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
911e49c00f8269df021737ea018675fb

SHA1
9a6d831a55ee47f625a930d77a289c86a5288142

SHA256
894bf5e07baf2715d835e749919dff4e01e1477ea392c3154262938b32c23d9c

SHA512
107bc640d45df9b0b63e4f96fc64daedc2085680e22ee8e00d28eaa139c6578568cd1d04c431996928d1f82821575b2d62453551692ce16679f50f4ee8d87baa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
df393b35ed465e44930b251b45b7c939

SHA1
04520fa1729cd481b52289f2df51afa136fa30b6

SHA256
9f09dcddc1f47b63da7dd7e8c09d80ddfe666d2e378ee0f22030e9347854ab90

SHA512
57a6d0dadfefd2754478fbca6a8cdb1b0ce674b2aca38d80e11b325dcbe4dc8ba5c2bfbe57035750b55891a4a170c4b4aeb48a3f73af9bc1c4d6b21db25705b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
58841ddb347378874c5fcd2fa0825575

SHA1
b2868cae48516f246a76d904d64496541a8dd826

SHA256
d4767cad336e42b16121b8ae0f788de415196559331dbcd15400e188e4363acb

SHA512
b60cad7c008c6c5dbd64b393ac0b4233f0e33ad37ec1e121761acec90ce5c778746e79e14ff9e80d1b165a4baa8cde1d62fa661bb6cc9b27afc027560ba8f50b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
613e819eb81c3ef747be97b50347fa00

SHA1
9b96284b32a9ae1cfaab425cc6d57b4e54c853bc

SHA256
27988e7174daea60eec457ee9e0117cb7a312a493b1b652ae398b41fad4b4a55

SHA512
8b7ebeb2ea1422fbf66b3d13dd0f1e42ea1f81d2c1786ef65823f193cabfbd965f5494438d3fcf4c0029d2236185516eece7077bacee65d0758cd96342907343

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
076bb0568eebe95bbe4bb2b5a8ea5ad6

SHA1
c74f9243bbac941472023462a6f324c526e97331

SHA256
c8ad20542dfaf7209ca6beb83ea38587ecd9906949e30911db68dd76257a9c0c

SHA512
82ae858e3a2f5816e9a3e2db07f4ce5ba8fbbd905871896c86bba96fc3bd472c8e86d7a425c1046b65c4281809591ca18c09ffee05427f3c304614d9e7fec251

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
95571caeb4e6dc3c347a1aa5070c7c9f

SHA1
5c58ace1a7ef3274043214f665c7ef3865193b1f

SHA256
4c6ca5e1cc348670a455127025c7ae5030c9d0caff28036f0830de55545c84a2

SHA512
a6e1f2941f479b521de0300d649a950e600d9c1efdefbfa04d1f5dc8a388e7df97a72f58eaec10e46821e018595386a4f54e889d4cb276f5d4f4cc11064cef39

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ba2091958b3c145e4a2f0824c6b362fd

SHA1
ab21004787a171693ff5432bb06591de3378fdc7

SHA256
7823cdfc66ed43168cc186cd48cf048934674ba0a61f4c80910ca8841c5ec5df

SHA512
5b8a8baaa3e2d3b751ed30caf28fe3d0c68b24122ec947a169caa6d8b12d481af29e274119b6d62265f6ab6b2737e9af94c11505c3091616ecbb0d20df1efc04

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
2bd1ea52a81b7b1d752e058f7a54950f

SHA1
058f4978198d14275b82bfde723c63a4200ce3d9

SHA256
285a677bc2a776cbc8024050d633fe6bfa13b3257b904d1a67189a2aa8c7d1f6

SHA512
1770d89aeb3a3a94cfa0def2e3dd28aab6d4d853049025f442ffe3f4d7a3c576ea07b5df630ba1a18b56ce924319b1c5f8b4101ae7d3450c5b0e7b9558e97769

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.9MB

MD5
0f5ed215cb316cee9a5e3fcc79637546

SHA1
6fcb54262739b3288e5005ff2a9bd580fe41a57a

SHA256
7e241b8dca3dcfc98224cd751f4859c1a6809f9e60e2fcde4fd56bb776894dcc

SHA512
60cbf46d7431b66ea47c988496fc83adf3b51b27340d3f8f0f0e4e1f2a8df603f4e84a4a0f2a10e00bbacf45508853f4cfc78c29bdbfddd589b6a8b17688041d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3b572dbb1b64025cf0f4e755027ad59b

SHA1
51ded7806c98f50d7123f620e4252c5fc1b12599

SHA256
61ecbf5e098016552d83c952088ea8617c2389851f81dfe55969af84dfc91dec

SHA512
dfbf4e0bd020ac401b71454c1c000c889ca10160e1ced84fdd126d0f052bc70380bdf7e876e919603e78429f303689a359434c488234b9d01d9b18a3dbbab933

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1b2b10695fe3de350815915fb0156966

SHA1
00f20dc235ebbe900a64fe145a897f7ff1ffc170

SHA256
2f66a49f947628b06cb2ffb6682f0bf05aa2f2eadfe4a1864477ac5136f272db

SHA512
c72ef2347ae9a8b3747567fd774ad9905ec4c87c5f6d77851d405d8d1bac3946b481e69476f25edc9b9105cdb78ee31ec2586c5106ab08ea77f119b41a0409b0

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
af4a909dbeb803ecfdd872a02da5b8fd

SHA1
f7094e5b01dd0d2c2e3c2a2abba3665696c9338a

SHA256
bb63590b585645f3f2c01251d3c81743d44353027ac668555852ba0ee850fadd

SHA512
fc444f666cbc60cab20ef7b5a6a0f1df2751941f6483bca3ae67025f2579d9c32f9765126af3005ca065835c88b9fae3f4cfeef973c8854412f954954124c673

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a39eac375b4fd8e164fd39f4bbba0a2b

SHA1
45b5a41cdf3ebe838b19541c51e4b80acdccb492

SHA256
54b05d0da22249a598b7c5342dcb72f91dece1c1a1b1290c774f0c8875ac9408

SHA512
294f5ecf8d804927a848c20a8b796b46345f36581fead9a6b8b5734d0083e77c60ddc65ff0a42d75139d83850f231058f85a9f512f2773c280f9ba4f8013d03d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0c61f8c897f962ae2f3eb6268eab2f70

SHA1
00c2d3cad8791b832afd7c7abd65ab761216d2dc

SHA256
f8152cac37c438aa86fd385c6c8170620dbd90b2a5b814d88c1f2cb418f6b5eb

SHA512
98af39f85d36942b71c39c86a251be279b2d39d30a6e21c0e0b77cc04254dd2b4b1052d0dc408e6baba06982c4116b22aef0f3f7472ed328a4e989a7047cb876

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4ce78b9d101ece1bc6bcc616ee3d6139

SHA1
c1b177f12bd2b16e49115703d668491dab0a8259

SHA256
ab9722db1b8657281eb1ce1bf120b21a79e948001448daa6758fd3cb6b13e485

SHA512
0da1cf3b2a870e133ccabc07141a1a03f8933e3ba68755dfe7d2fc24cdcbaa7871ed0676ce8eb06ba8ecce8361749773d3ea326d4ce62a3dfba1577851670034

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\86ce496f78c75bcb363a217dccf67319\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
bde9efd9b4f15fe1c9b70d6110523640

SHA1
032282965ff5505562c6657d245a6e2998eed994

SHA256
bef0a6da9fcc7f1434040064f8ab536ad0581c222c15cdabd6d32e4646da592a

SHA512
2685d81d7a1f1e8be3c36ae0957aa75d49a8d2d24b10762b74b60ccd3540ee25e70251758c5d3786ae2e16e754d6ed01fc33c8baa73576e33dbedcce11d44ae6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9c1b3d55a408e0301d23d8f49b5b315e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
50794360e935e26a836620cc65497c69

SHA1
55c6a99ee189298dad1710d7dac9dca2160d8949

SHA256
4e2350413d92e6e3aef6c19f85e9791d1db081c1b1640496010cbc6f03e4dee4

SHA512
b4e1731f7a884f2d469f5dbc0822951f648449e5bfcf29d631e4dec15b861e3ccdca27ddf5eccfab74242fb3b9aa9820794190253aad2be01d721e176feb88b4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac162cc4022c4bb02bd37d3938f4e261\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
9388bac49bd1ee78a737c0a6c6aa9dea

SHA1
59792ee2e27a2bcccc309e8ce8dbdb493a6f59c8

SHA256
55334adccb0379636d8e692c0b7eee56c678f7610c6ad01cbb01b073d6cce4b0

SHA512
7a779e8dffb7dd41d41ddf8b6a54bf651774ec212e4199bdfc30b984c642c9891c744327a0f990880669b3b48b58e130637b065a8ab2434bc5e3d51a4ac4e8b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d7b29d7797fefd80a8f77c98eebddc11\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
a03c831cb51ed63213ead308a53d7354

SHA1
4f6a9189d8d56bf2449235f23cc2278bf5132b51

SHA256
130ee203551dc5378ec6c5f3a6408aa0c9f2b03e8b31ea980926f645344d939e

SHA512
ba28351932abfb7d03e01b81a6face909a573335850846507fe274b48a0ead697c71cd4743ebfa4acd8f5809ef0cecaabc43b0aea45c6d9d29fad836e5965bc0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
980ab1f2bd3dad5723cb49c6dc566465

SHA1
33b7f87da96f653354e5227417fc6a430a4c53c5

SHA256
842aa3e96a772c653a08eee3d1a6c3519538bbf922845573d0ef2646183ec53f

SHA512
9ef77735054be9801717f563a5b526b9e34cfc7111c931d6cb64f92ab4ec87169a71abc5da2318012fcbdf5bebb696790e77d563b0e0208f03d38893a9dde772

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c59e140132e00de6d1a894ee74445ecd

SHA1
7bdff5a8d8a61cdf86db7277fdddbadd62c80b7e

SHA256
2b1fae1165b97d63a20457c4e60851cc79dfe5ccaaee7978a67a5c25e5a02ed6

SHA512
944e486014209f620ae92908113d492945655f0f301cdd335b7188d82d9249d76ab243d4e12156bacda46422e7ed224ad7c0ebb8826ee8780929ec50a78e47dc

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.9MB

MD5
607ed974ac2cedf02bbc06e2999351a2

SHA1
28d48bade853ad63f4c1910a71f088fc9da6beef

SHA256
da1a171b8a0c6d8cc88f82cf3121d6614db5dcf02bda41dc5736b16a38704e3b

SHA512
e400163f5f3a4b65a2d6ce9d80159f18b82174bfefbd858777dcd552004e4876c1314ae5ecf0683243b23a66e0eb2ee417fd74b9401bc148e03f51b4aef07961

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
a5a9161fd8afc255d9f53ea70b3ec7eb

SHA1
1bf509e4c525e531b8ebd673dcd02667c974d331

SHA256
70567f44db9b061e0fb886c7f09f03b41165ea0869abad0af5135cdf51dca4d4

SHA512
83855712bc0ef8d3a642d71ce4ca079592484bf7b250d63bac8b5e25459774ffeb9fc020e6fc9b05bc955a2ba0003fe198dc6064bfde24a97506746fc17b5f6b

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
97c65802e5a21ca025690d5100c6ff9e

SHA1
3f706a0e60428eecd6815c1dda548174c3b11289

SHA256
397c3872c4535dac2267aec402a1f64242305684ef191037f6e8ab593172da26

SHA512
b5389139f9923e389b4f8e92aa023fa120e8b1cbab5a71ee031825568580510d953a2832214a3bcdaa26c946d9104f495b9bcf81db1853ffd7b13ce29c553f3b

Download Submit
memory/108-421-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/108-323-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/112-296-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/112-314-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/808-522-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/808-507-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/964-229-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/964-457-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1044-615-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1044-257-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1052-602-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/1096-214-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1096-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1176-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-93-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-6-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1176-8-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-1-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1276-254-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1276-310-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1332-169-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1332-233-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/1480-102-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1480-110-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1480-108-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1480-850-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1480-198-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1512-890-0x0000000002000000-0x000000000202A000-memory.dmp

Filesize
168KB

Download
memory/1512-885-0x0000000002000000-0x00000000020EC000-memory.dmp

Filesize
944KB

Download
memory/1512-66-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1512-879-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/1512-891-0x0000000002000000-0x0000000002066000-memory.dmp

Filesize
408KB

Download
memory/1512-889-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/1512-888-0x0000000002000000-0x0000000002024000-memory.dmp

Filesize
144KB

Download
memory/1512-880-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download
memory/1512-887-0x0000000002000000-0x0000000002088000-memory.dmp

Filesize
544KB

Download
memory/1512-71-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1512-881-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

Filesize
104KB

Download
memory/1512-179-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1512-882-0x0000000002000000-0x000000000208C000-memory.dmp

Filesize
560KB

Download
memory/1512-65-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1512-886-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/1512-883-0x0000000002000000-0x00000000020A4000-memory.dmp

Filesize
656KB

Download
memory/1512-884-0x0000000002000000-0x000000000219E000-memory.dmp

Filesize
1.6MB

Download
memory/1828-496-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1828-487-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1960-124-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1960-114-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1960-120-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1960-209-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1960-772-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2104-757-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2104-268-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2188-193-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2188-261-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2268-226-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2312-465-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2312-438-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2320-200-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2320-282-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2368-215-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2368-322-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2380-484-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2380-459-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2392-30-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2392-31-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2392-36-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2392-82-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2448-122-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2448-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2468-50-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2468-51-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2468-45-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2468-53-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2468-76-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2476-227-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2476-436-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/2504-132-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2504-25-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2504-18-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2504-24-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2504-17-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2568-92-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2568-85-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2568-94-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2616-486-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2616-234-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2708-176-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2708-180-0x00000000006B0000-0x00000000008A1000-memory.dmp

Filesize
1.9MB

Download
memory/2708-256-0x00000000006B0000-0x00000000008A1000-memory.dmp

Filesize
1.9MB

Download
memory/2708-245-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2740-166-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2740-172-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2768-769-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2768-283-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2896-434-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2896-418-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2924-210-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2924-295-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/3012-799-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3012-219-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3012-142-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3048-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3048-163-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download