55630944364a787423468fc12fee121155a59d744bf9b42bedbb4024942dd9ee

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Size

712KB
MD5

499a18c448af539fe4561a0c515912ce
SHA1

d83687390090490a44c81ae9e58aeae62253b852
SHA256

55630944364a787423468fc12fee121155a59d744bf9b42bedbb4024942dd9ee
SHA512

0d6e703472dfb83e50021cbb217c530f82354848fda1a600b319fe67279fac43e2259c4a13f9beab3bfd712e2f21b6de8af1fee63d3b1c67d71dd92c26d38481
SSDEEP

12288:ktOw6BaL6JvY67VMBNO/aXpXI22+VufvdIOKek1h4TA8bXQJYe:66BA6J17W8CX32+KJNA80T

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2000	alg.exe
1164	aspnet_state.exe
2996	mscorsvw.exe
2632	mscorsvw.exe
2516	mscorsvw.exe
2360	mscorsvw.exe
1900	ehRecvr.exe
1952	ehsched.exe
588	elevation_service.exe
2416	IEEtwCollector.exe
1552	GROOVE.EXE
1252	maintenanceservice.exe
688	msdtc.exe
2164	msiexec.exe
1616	OSE.EXE
2508	OSPPSVC.EXE
2412	mscorsvw.exe
2056	perfhost.exe
1240	locator.exe
1940	snmptrap.exe
2328	vds.exe
1064	vssvc.exe
2988	wbengine.exe
2100	mscorsvw.exe
2232	WmiApSrv.exe
2868	wmpnetwk.exe
2520	SearchIndexer.exe
2140	mscorsvw.exe
2676	mscorsvw.exe
2916	mscorsvw.exe
2420	mscorsvw.exe
1664	mscorsvw.exe
2112	mscorsvw.exe
1668	mscorsvw.exe
3024	mscorsvw.exe
2480	mscorsvw.exe
1732	mscorsvw.exe
1588	mscorsvw.exe
1800	mscorsvw.exe
520	mscorsvw.exe
836	mscorsvw.exe
896	mscorsvw.exe
2372	mscorsvw.exe
1496	mscorsvw.exe
1436	mscorsvw.exe
2664	mscorsvw.exe
1432	mscorsvw.exe
272	mscorsvw.exe
2032	mscorsvw.exe
1496	mscorsvw.exe
2032	dllhost.exe
1528	mscorsvw.exe
2112	mscorsvw.exe
1084	mscorsvw.exe
1068	mscorsvw.exe
520	mscorsvw.exe
1928	mscorsvw.exe
1488	mscorsvw.exe
1912	mscorsvw.exe
2504	mscorsvw.exe
2820	mscorsvw.exe
848	mscorsvw.exe
460	mscorsvw.exe

Loads dropped DLL 55 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2164	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
768	Process not Found
468	Process not Found
520	mscorsvw.exe
520	mscorsvw.exe
1488	mscorsvw.exe
1488	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
848	mscorsvw.exe
848	mscorsvw.exe
1560	mscorsvw.exe
1560	mscorsvw.exe
1684	mscorsvw.exe
1684	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
2604	mscorsvw.exe
2604	mscorsvw.exe
2752	mscorsvw.exe
2752	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
928	mscorsvw.exe
928	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
1564	mscorsvw.exe
1564	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
336	mscorsvw.exe
336	mscorsvw.exe
780	mscorsvw.exe
780	mscorsvw.exe
2340	mscorsvw.exe
2340	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
2076	mscorsvw.exe
2076	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5d6e560bae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E1E.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8D23.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD069.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7EA2.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP65B5.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA12F.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{43596FAA-3D8C-4F2C-8A00-A62CF2A8E9AA}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1956	ehRec.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: 33	780	EhTray.exe
Token: SeIncBasePriorityPrivilege	780	EhTray.exe
Token: SeDebugPrivilege	1956	ehRec.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeSecurityPrivilege	2164	msiexec.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeBackupPrivilege	1064	vssvc.exe
Token: SeRestorePrivilege	1064	vssvc.exe
Token: SeAuditPrivilege	1064	vssvc.exe
Token: 33	780	EhTray.exe
Token: SeIncBasePriorityPrivilege	780	EhTray.exe
Token: SeBackupPrivilege	2988	wbengine.exe
Token: SeRestorePrivilege	2988	wbengine.exe
Token: SeSecurityPrivilege	2988	wbengine.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeManageVolumePrivilege	2520	SearchIndexer.exe
Token: 33	2868	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2868	wmpnetwk.exe
Token: 33	2520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2520	SearchIndexer.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeDebugPrivilege	2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Token: SeDebugPrivilege	2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Token: SeDebugPrivilege	2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Token: SeDebugPrivilege	2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Token: SeDebugPrivilege	2220	2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeDebugPrivilege	2000	alg.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe
Token: SeShutdownPrivilege	2360	mscorsvw.exe
Token: SeShutdownPrivilege	2516	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
780	EhTray.exe
780	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
780	EhTray.exe
780	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1840	SearchProtocolHost.exe
1840	SearchProtocolHost.exe
1840	SearchProtocolHost.exe
1840	SearchProtocolHost.exe
1840	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
2680	SearchProtocolHost.exe
1840	SearchProtocolHost.exe
2680	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2412	2360	mscorsvw.exe	46
PID 2360 wrote to memory of 2412	2360	mscorsvw.exe	46
PID 2360 wrote to memory of 2412	2360	mscorsvw.exe	46
PID 2360 wrote to memory of 2100	2360	mscorsvw.exe	55
PID 2360 wrote to memory of 2100	2360	mscorsvw.exe	55
PID 2360 wrote to memory of 2100	2360	mscorsvw.exe	55
PID 2516 wrote to memory of 2140	2516	mscorsvw.exe	59
PID 2516 wrote to memory of 2140	2516	mscorsvw.exe	59
PID 2516 wrote to memory of 2140	2516	mscorsvw.exe	59
PID 2516 wrote to memory of 2140	2516	mscorsvw.exe	59
PID 2520 wrote to memory of 1840	2520	SearchIndexer.exe	60
PID 2520 wrote to memory of 1840	2520	SearchIndexer.exe	60
PID 2520 wrote to memory of 1840	2520	SearchIndexer.exe	60
PID 2520 wrote to memory of 2788	2520	SearchIndexer.exe	61
PID 2520 wrote to memory of 2788	2520	SearchIndexer.exe	61
PID 2520 wrote to memory of 2788	2520	SearchIndexer.exe	61
PID 2516 wrote to memory of 2676	2516	mscorsvw.exe	62
PID 2516 wrote to memory of 2676	2516	mscorsvw.exe	62
PID 2516 wrote to memory of 2676	2516	mscorsvw.exe	62
PID 2516 wrote to memory of 2676	2516	mscorsvw.exe	62
PID 2516 wrote to memory of 2916	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 2916	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 2916	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 2916	2516	mscorsvw.exe	63
PID 2516 wrote to memory of 2420	2516	mscorsvw.exe	64
PID 2516 wrote to memory of 2420	2516	mscorsvw.exe	64
PID 2516 wrote to memory of 2420	2516	mscorsvw.exe	64
PID 2516 wrote to memory of 2420	2516	mscorsvw.exe	64
PID 2516 wrote to memory of 1664	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 1664	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 1664	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 1664	2516	mscorsvw.exe	65
PID 2516 wrote to memory of 2112	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 2112	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 2112	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 2112	2516	mscorsvw.exe	66
PID 2516 wrote to memory of 1668	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 1668	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 1668	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 1668	2516	mscorsvw.exe	67
PID 2516 wrote to memory of 3024	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 3024	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 3024	2516	mscorsvw.exe	68
PID 2516 wrote to memory of 3024	2516	mscorsvw.exe	68
PID 2520 wrote to memory of 2680	2520	SearchIndexer.exe	69
PID 2520 wrote to memory of 2680	2520	SearchIndexer.exe	69
PID 2520 wrote to memory of 2680	2520	SearchIndexer.exe	69
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	70
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	70
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	70
PID 2516 wrote to memory of 2480	2516	mscorsvw.exe	70
PID 2516 wrote to memory of 1732	2516	mscorsvw.exe	71
PID 2516 wrote to memory of 1732	2516	mscorsvw.exe	71
PID 2516 wrote to memory of 1732	2516	mscorsvw.exe	71
PID 2516 wrote to memory of 1732	2516	mscorsvw.exe	71
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	72
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	72
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	72
PID 2516 wrote to memory of 1588	2516	mscorsvw.exe	72
PID 2516 wrote to memory of 1800	2516	mscorsvw.exe	73
PID 2516 wrote to memory of 1800	2516	mscorsvw.exe	73
PID 2516 wrote to memory of 1800	2516	mscorsvw.exe	73
PID 2516 wrote to memory of 1800	2516	mscorsvw.exe	73
PID 2516 wrote to memory of 520	2516	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_499a18c448af539fe4561a0c515912ce_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2996

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 1f0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 260 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 1d4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 288 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 2ac -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 20c -NGENProcess 1e8 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 258 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 24c -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 264 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 24c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 264 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2a0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c8 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2ec -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c8 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f0 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f8 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 34c -NGENProcess 340 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 360 -NGENProcess 348 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 340 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 348 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 30c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 374 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 360 -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 378 -NGENProcess 370 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 30c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 30c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 370 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 378 -NGENProcess 390 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 398 -NGENProcess 30c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 30c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 370 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 390 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 30c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 370 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 30c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1536

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1900

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:588

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2680

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
6baad5b936ba417328a50707d6236010

SHA1
ce3dbf3c5a820a2549756950c6ab64e5fe02d9b1

SHA256
e55c8e98e51c8d3eab2c411dd561bd53441b76d02ef5fe27511cfe22592de5e8

SHA512
66d528fabb74bc0a5e1d1e1ca94a2193dd99cc768ee1e31f818a18ee461f453a756d251dbf7d271f831bb82d9ada1faded674baf67d3c81d17e2ba781f56d53b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c838dfde8bc9ba26a131a6878e81e4e3

SHA1
5c75d00fc03ab427ad377aa3dba9377685ea6262

SHA256
8cf601b244e6294589b869290347c692fde7e074b0398ed7de61dd70a89f9ad5

SHA512
d986aecda519d56e1ec754b9e26d652fbc52f9ee0fa12238a51db442281728f4fcf8ec33b38517c1c02d4d932f2ea790afbd90520cdde6132bd06baf98568419

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
16b12b913c86af24daec796c8db552d0

SHA1
61b1f1cb7bb6733e7436e53a7fb6e4032186205b

SHA256
9cd7910c6a3891d1d162181f877fcd3edb9b2a8b906b310b597bbcf63e71e9b2

SHA512
1964c258ffd2708f71ba0bcc89e31b3c50c214063c5dca9e96ce5158ebd9b8749023905c8b842665b83e7f96c362a7f1e7a1c596f8442710bfc138de434ab2d4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b995aa94573b3d0a60dbb683ab914aad

SHA1
2f03563fb2a2d802237cba5a36c022fd84d6f419

SHA256
72eb4e2466b1df5a497592a9c24afcdcea8c904d4f7595c92284695f0dd2e2a1

SHA512
18e5c625d1f659eb17a68be2460923211f3064fea38b72ae9602735c0d84a4f3dbdf3072b2be32d640d7577a71972a497d5a0a1dfdaa6bcf647bf588ca2be97d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2660099fcbbda35080910abc51d90cc

SHA1
7285dcb3b1d128475c8d76a24d999ae46818d381

SHA256
af361d7b4b6020ae69b81ec831750326f8d5e02140cd13de82b79aea60ffb6ee

SHA512
58385225801471b4595024ada48946f72ff622769ecbd7fc5a5433c1ac30d20ce07a795f6052295648d9c66dabd63d94343799225e7cf0dc9ac24ea859d47070

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
9a590cb5b0ff0915bb214acfbb04a7dc

SHA1
04b14069ffc45765f264f5c0abcb04869c79794c

SHA256
4af5876f8dc77c5c92e8a2ba903d635d9033010b9861cb8900f6314f9c7daff5

SHA512
4a82263f2144b82e64d5c25cd6eb718e02f6a2780d99593580da0c92cf674d587d983c06bdce6ed98018ce42172133e01df11d6c0a276d873549d5ee42ac76a7

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
07c255b6135b175e34f871695df84b99

SHA1
9cf719c3f5000ea0c8fd7c630ca181819c495e4c

SHA256
6d6d0d5f1d980153e1eea9f7ed1e769708d424a1b1ba79224cd1002121993edf

SHA512
28f4ace417c8fa14ef0b158c3998992b7a59b62df268112b2c4014c8d6dbf8748a015f2327523b96ab2c0170d268b9f5d00634d0ea53673d357760215cb18627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
2a0d5a0aad5913d7934bb2bdefea5bf0

SHA1
270b723ab75e01c10ee2f12fdade2b76d653a51f

SHA256
fc768e32a03fd38d1ed206aac0f9391c9072b64fd48e0fcd0ec611e89e45b352

SHA512
5fb8bf09d8cf462064152e3459efa4cbfb31eb0e3688f4561061f7504754be0eda18e63ce880eb952c4f87f50907e2cf27c9dd5db130ec73161bdecfda501250

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d6cab5267683a1f21fae81745a6bcf5e

SHA1
5da73dee9bc271a9f3dd89ea2574c9bc9cdfe43d

SHA256
91f2428a552e7e55e627ab67d55048c0b11689e7c49d2001d22ee284da73e11e

SHA512
e40d0e76200c4bcfeea79e04e1536b41930305377f3285123dd3dc6d7248001b5262f8eda968a7f6480720d9766e7619c0eee4e8d9288c4a89015a3c77d4de7b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
be8dd3e9f5c635f857a5e37f10afa238

SHA1
9fcde9f4a72c7ec8858c5d8d8f97696c781b787b

SHA256
cdbcedcd18eee26d5576aaf2c4763278ba29a67ffddefa7f980c3d0a1e4de0e3

SHA512
0b4674b1a9124ba84ef2cf8f6688e95dde685472460b5a5f75db217a3f3fab5fcf1557b1e21537c38aa2d4f2d55452b7937741b0fb2c3769ed85a50b126b5e23

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
e75e9d618bad0706b40fe19fa3e83664

SHA1
768f230fea8712c9408aee2800a4567cc2497835

SHA256
629f26e2165cc5591ab25a541873baf74f9fe2c6fe5b72ca2b4b82e88778ac49

SHA512
316eac357777fd5fa63605a28c0f295258c687b6871cf605fbdafc86525c2ddd95550cd5aed90b65b35cee1f8400a38e8bcd910c99e118f8b0a443b73026a86d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
f3afe329f29efab85170b985d9a9aafc

SHA1
4a3cf758c62f72468ec7a6504715acda50c081d9

SHA256
3a45cd61a02dc35b52a8166605fff77a014c58b1ce980193d03d5d0c8c8c999e

SHA512
a102de894d9efc05f7c03ac05ef74e29ba79d4d731bb64c1a425c5df42e1a3f74ab8c1a166bbc99888b2e05ef2d59f55383d08262153145f3effe85c93efe119

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
6142b5d0d9d932399e99c05691251088

SHA1
d5a044d084ed47a2ffce44e364150e606a34c3eb

SHA256
113d51b4ddce115f06eb5b22913ba38102d3ea109adb6b8a20af713a6dfbfb61

SHA512
5cc863c3f6ae88bbcb042ae39cffddfe97cf60ae9d0dc4005390a4539957c06f3841ac7340ffdc328bebc5c1c6a5ccdb253b083c7b477c41c0a11c4a45774355

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
18257d26c388da2818a5994ce2494b31

SHA1
f4e352dd38d4e408f7378a76c79923161290c53b

SHA256
ef62ee00a3b4206b70b177a330887b8a323d7f5bf89a4359b542a166a01a5d04

SHA512
2c4f7a401c35a0d977e475c7a85cf9f3b46bc5cce1278c003dbcff62bcfbb1e91fca9b0ad47eb0f44edc2877a0c3178c82f4724a3fa40412fc0ad356ee594ef7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
07510ee094d82b72088010a5fc6ad544

SHA1
a87fa4c262cca279977de214800fa5b473c15ef0

SHA256
02d8a638cbb4458f0ea1c2cb0937df7bdf287f00a3fd5085785c5be11b840ea1

SHA512
91428fe52bab8fd7b0745d745c625b314185172dd8f89b0e274991d74fdc92753d7c80b85684e6c92063f7a9bf9e8750d0a5ebf687a64a7d2b06edf21e27bd56

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
4f1efaf69a81945ece6e701b8ad2d12b

SHA1
02c8e257b53320c1fb378d8f10aba6cba30e081a

SHA256
88971a41f1ecbeeabab5c1ab808a645ddbd31bf4f949deb6bd17a604b695f37b

SHA512
ed78521be0719ea54bfe0375c1f127349e662d8e885eb4eaadd2fa559c3a54f84ddd6cef631c1ab9acb3117209b5d032b1dd053e821ca3b360b72cad580e5727

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
ce4fe7756b462d26f25c89fd2a422e3f

SHA1
76129567fa6ec051879fde68f870597fe0a489ae

SHA256
381b75b7340c51c380d0f49d06028b16dd098ff4566696b89988722bf6dfdbdc

SHA512
8abeba3155e8e38323ae9b573ce46d062174369936e924eea1dc96662119090d9da84440fa9ee718a33ce36aab19e1a0696931fe0d8142205f8eaa4f6baf79bd

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
691KB

MD5
51baa96301320fd0e72b6c9188f95d78

SHA1
51be610c3408059b36c6e38ba1d46230a97b8534

SHA256
2958528035756aa70ccba98fb3acbc623256a27dd49295910bd5d251bdc216e1

SHA512
b58b03d2d709df0c2e6d4e7a2de04296e3a23362f68a331615d65d626b2273f52e1cd9504e8f4b59a4aea74c794a7e49f527cb65f285d93a124dd143416ebfd0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
1196707c856f921210680a19830812b8

SHA1
7f36ccce5cec520bd8a46d4c9021f7e13a2b466c

SHA256
226f8b0dfad8aa2979dcd50e6c16b6a12b397145d04d0557e07392e87fd14683

SHA512
d3e7bccea78fd255c3825b4353361ba36dc4e9614b16f44093af549769fe56cfaea5456479ba39fb4d3ab13e8f121f7491bcdc1ac7297664a55e3dfac3899bd4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
d19bb22e86dff2881693cc535b2c8ba8

SHA1
38e8ab62d45334a4580ad1024c3ea963e43fae04

SHA256
ca2ee0324b6e9bb6f2b2ab70f7058ec8655714b4b5c1a0602407bfe7068f7139

SHA512
f54e074f847b5f67cf9c6ca1f3803fd2b7440ca259c3a7f0c7f79335d961ea2d35f418f4b3c06d53aa2a4354515fa5fe0aa681267d1c2329f2737f4e56f08211

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\14429456f2a43bbb607661c3d3aca916\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
1eef8b641d4d377ee1a2f21bfbab5638

SHA1
eb3133e16f230c6540b1ec1cbda7265fe45fc15c

SHA256
33e5aac291bfbbe484401a2d1276fcdea2349707883950e7a192a4456b0f53c0

SHA512
7135af4e7b9af6ed02b5e76c4bbdc544cea918238481d42d9cc27c30c2567d9e5a9b59dc720e55fe5ca2f8ea99b9222661630738cbb70e53871d5abfc5d64ef8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\539f9ccb8b269e25f195b20e47549383\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
43378f3eff193137c36719b0fc6f14ee

SHA1
ca1d12b53169820cc86da72962442922b7ba5466

SHA256
0eb797e3d2fee7d1014a4a81e9b54b4d051442593f3e7848f7cb9ba64d505077

SHA512
193b755e0e5ae29b0c993cf9f10dc2b9628ed6cb7a9aaacfb6dc5c9fac281b6ee085b96c4a171a162cc07d7515a3dcc2e355f94a4e668652f95419992722a8ef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b724faefd6a2be82f5b96d9569929826\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
604f2755db593a7fbb73d4c879cec624

SHA1
3953227cf795c2a558dbc334b0c53630f768d175

SHA256
ccd6ba5062c317ccd758a9436a60e54ab6210248c72d9e40a89da519ecb1bb0c

SHA512
a15e81ef14afa405e9b8c2182961c6e68c8dcf974ce02b461d67abef7d339c93d2520f0f088255722f768840e5dd31f578f0c20da20993e6f1ca9f011beab816

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b937bb7b4e135b95760f5d310361e4ed\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
5849f6b4a98234a4a6bd34ce0aed7742

SHA1
114d17ab6d30b909dc41f5093e61ea3cf5d98219

SHA256
7bc9522099d7f6670a8b486dcafa9920fb06a7d44bb8ba5e810a26d4991cfd2d

SHA512
8952de7b39f844e854395ad39c4a7d36684a5c1d71e682b1bdb15cc0a63a4dd0bb8c3f7357a87f1966fdbd18daea81e14ac32e07eebd54c0fc368a19a441890e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
92c0728e406b76228d41afd7a6825417

SHA1
f1daef77a935236e0a22247e650a0bf7ccc0dcf2

SHA256
5cbebe71651334a5e123ed1afbdca3ac5f55d817afa5bdd5b7849d20c0add23a

SHA512
95e5409a85f1225b4daed807dcc6e6c2ae3d611c6c4a0a69ebc0a03c70ce7a709b7832d8cdf73ab07bec5ca7488e8dce2935bc3b4124951cdd3c76fa615ce307

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
681317dc35b7480c84af231f6b69eb73

SHA1
8f7c2a5ce067224eb5f1446da5ec4a921899acc6

SHA256
f94a72d4f26e0579755c8b0a363ad990948a2f585042e5438ceceb2707c51d78

SHA512
c603efe5f113fc23b7109fd7ec5e3f77177b4efffff7a285897265cfc8076c52cb54a18de09c88b248d837727a0ca6c959c1928a276068cedbda64e05fb5df62

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
46fdd5edbc1c9b22093616c49123ea84

SHA1
6dff2f96b1846bfde658a43ecafe88ff533cd99a

SHA256
bc70a3aee5e03312f644350c87bb812ae779f2ec59c29fd6f8157139fc26bff1

SHA512
b959b7e74c01622a17b033da0168ed7966ade768dd2d187541a2932bc4628deb1adeef465dc5357b6c4936721c064f1c0956e5a8c24cb43f27dde68cad3d25cc

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
66f850311393f9951006e8523ff512a5

SHA1
fe039b97e0522a25794e860a996d0db5e5b0bb1e

SHA256
3f5c34ff18b9a459045c5aa365354ddd915de33686ab364aada5d28cad43925e

SHA512
5f12638255a801723af5c9e4074af9aa7d5770c357f0921039c7f7e17842e6155340258653b4c6287ce91a855ca67cec7d64799bf8317d53d74eeb226286456c

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
b48d6b7063b6f62810f4b733b3da6c27

SHA1
fe4bf6ca6d8911167965948c54a8820591fe7ad5

SHA256
250e759fa85bf23e6e95c558a75f5c4969cefdc833405a2854248e88ff8aa0f1

SHA512
24c3ef96c612d48cbc4dc3d77df99d1ddbefb2a31f3fa2bcab9219de0d3a64f98e60647145877dd167d3a68104891b7b49fa1f3eaeb54229f64b69283c1965da

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
0b58e3dd03298a3cd236304297929f7e

SHA1
f13202b556a05b48c54bd8a4674a08715c717dcb

SHA256
d22ff56d1d205ca2907f4eb2742c47fd7e88d066b831c5ea16bd638472bcd78b

SHA512
1d4d1dbc553db054d0dc760427220e19e68896e5686a8a228cd4e0a52d52680f1b6fc908f98df255f2f151728eace08e564da181029aec71aa9a1270d1a564a7

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
26e8a96013814d7b63bbc390a1cdbeea

SHA1
f75bb0ceffd69194203355531d250d21d86766bf

SHA256
6c1d239a999f1f0ec4614dcbf7044476789dba339887f12803db7e15329d975b

SHA512
017adf58a989431ef0d6ac5c407492884657d680518d5ba59d3872a0f7fcbc3395ad50ae96de9c42b2e62fa120d0916912b1df2cc820c173539d486f953039c2

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
715d16ed49e9e4ac56dce7085dca274f

SHA1
fb982b30058a401866e71f52142e14394f54cf99

SHA256
85f044342ec0f54559416f5b124c9225d360c7a4b7594a2e149c2b5ad718f4c4

SHA512
dd11f12c3e67659bd1fefdd93857a73f2906d554401349426d5a066ec833b5ed097d4ed6d823794064e9733206d6ca2beaee4fe96e9b49fb50e92f52f04d857f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
74cbfd2b99f8c4b467224d2e27a4bd20

SHA1
2374ceeeed68b6b538c1f1890807fe2befebbcfe

SHA256
2d49e07ffbc1ecc2caa50d7a007a8b68a02b6621fdfccea52808399f6f32f59a

SHA512
d3f13ae9867aa54ceb7a9577b0b2778e4a35d5d0f03ef4c86bd974743dc29252e2f2948d169674a016cea1671df30f10a8f745d58767b6fb93d05b29028fb091

Download Submit
memory/520-783-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/588-139-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/588-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/688-281-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/688-184-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/836-795-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/836-781-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/896-792-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/896-796-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/896-808-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1064-628-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1064-312-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1164-36-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/1164-138-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1164-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1164-28-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/1240-531-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1240-277-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1252-194-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1252-198-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1432-852-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1436-844-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1436-830-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1496-833-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1496-820-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1552-183-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1552-264-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1588-755-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-351-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1616-224-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1664-653-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1664-629-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1668-711-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1668-691-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-735-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-749-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1800-771-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1900-112-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1900-119-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1900-120-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1900-235-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1940-561-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1940-282-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1952-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1952-252-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2000-22-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2000-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2000-14-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2000-111-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2056-265-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2056-416-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2100-384-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2112-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-657-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-540-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-417-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2164-318-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2164-330-0x00000000003C0000-0x0000000000472000-memory.dmp

Filesize
712KB

Download
memory/2164-202-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2164-209-0x00000000003C0000-0x0000000000472000-memory.dmp

Filesize
712KB

Download
memory/2220-2-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2220-8-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2220-72-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2220-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2232-705-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2232-352-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2328-299-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2328-600-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2360-93-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2360-216-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2360-99-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2360-92-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2372-817-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-805-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2412-253-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2412-353-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2416-274-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2416-151-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2420-619-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2480-722-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2480-738-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-357-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2508-240-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2516-73-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-74-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2516-79-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2516-204-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2520-379-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2520-734-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2632-104-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2632-53-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2632-55-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2632-62-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2664-842-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2676-536-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2676-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-366-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2868-721-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2916-598-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2916-566-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-656-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2988-327-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2996-41-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2996-45-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2996-89-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2996-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3024-706-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3024-725-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download