844f89b2e912a2697c85bbb20129599114341c7187118d7a0488a8f4ae092f0f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Size

1.8MB
MD5

fccaf83565e779c83da236f7a44faf53
SHA1

e2349578da14b89504ee879f9417af6310dc0da7
SHA256

844f89b2e912a2697c85bbb20129599114341c7187118d7a0488a8f4ae092f0f
SHA512

917994aff35e00fe6ddb94d05e5757239e3f4b5dbf870264da4f4359a96622b41d9682b03598eb9c247719ff4883af8229af423ba86e755535b77bda51546ad4
SSDEEP

49152:QE19+ApwXk1QE1RzsEQPaxHNWdPGM7nmoOl:193wXmoKOxB7nmoO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2620	alg.exe
2540	aspnet_state.exe
2584	mscorsvw.exe
2964	mscorsvw.exe
1468	mscorsvw.exe
2112	mscorsvw.exe
2672	ehRecvr.exe
824	ehsched.exe
1744	elevation_service.exe
2248	IEEtwCollector.exe
1316	GROOVE.EXE
996	maintenanceservice.exe
2308	msdtc.exe
2200	msiexec.exe
1696	OSE.EXE
1984	OSPPSVC.EXE
2708	perfhost.exe
2464	locator.exe
268	snmptrap.exe
1016	vds.exe
272	mscorsvw.exe
2396	vssvc.exe
2284	wbengine.exe
2736	WmiApSrv.exe
2020	wmpnetwk.exe
2928	mscorsvw.exe
2372	SearchIndexer.exe
860	mscorsvw.exe
2428	mscorsvw.exe
1720	mscorsvw.exe
1236	mscorsvw.exe
1344	mscorsvw.exe
1776	mscorsvw.exe
1964	mscorsvw.exe
1884	mscorsvw.exe
2976	mscorsvw.exe
2320	mscorsvw.exe
1908	mscorsvw.exe
532	mscorsvw.exe
2052	mscorsvw.exe
1544	mscorsvw.exe
2976	mscorsvw.exe
1728	mscorsvw.exe
2808	mscorsvw.exe
2508	mscorsvw.exe
2952	mscorsvw.exe
2352	mscorsvw.exe
2884	mscorsvw.exe
1720	mscorsvw.exe
944	mscorsvw.exe
1188	dllhost.exe
852	mscorsvw.exe
1596	mscorsvw.exe
2420	mscorsvw.exe
1776	mscorsvw.exe
2884	mscorsvw.exe
292	mscorsvw.exe
956	mscorsvw.exe
552	mscorsvw.exe
804	mscorsvw.exe
432	mscorsvw.exe
2016	mscorsvw.exe
1540	mscorsvw.exe

Loads dropped DLL 61 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2200	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found
464	Process not Found
2884	mscorsvw.exe
2884	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
804	mscorsvw.exe
804	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
1900	mscorsvw.exe
1900	mscorsvw.exe
552	mscorsvw.exe
552	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe
1940	mscorsvw.exe
1940	mscorsvw.exe
972	mscorsvw.exe
972	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
1044	mscorsvw.exe
1044	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
1568	mscorsvw.exe
1568	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
2268	mscorsvw.exe
2268	mscorsvw.exe
432	mscorsvw.exe
432	mscorsvw.exe
608	mscorsvw.exe
608	mscorsvw.exe
1956	mscorsvw.exe
1956	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52e6c0e8ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E4A.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1120.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF612.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPACB3.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP454.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7CE.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D751AB0F-3121-49CE-B08A-EBCBB7B4021D}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F4A.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2604	ehRec.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2540	aspnet_state.exe
2540	aspnet_state.exe
2540	aspnet_state.exe
2540	aspnet_state.exe
2540	aspnet_state.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: 33	1128	EhTray.exe
Token: SeIncBasePriorityPrivilege	1128	EhTray.exe
Token: SeDebugPrivilege	2604	ehRec.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: 33	1128	EhTray.exe
Token: SeIncBasePriorityPrivilege	1128	EhTray.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeBackupPrivilege	2396	vssvc.exe
Token: SeRestorePrivilege	2396	vssvc.exe
Token: SeAuditPrivilege	2396	vssvc.exe
Token: SeBackupPrivilege	2284	wbengine.exe
Token: SeRestorePrivilege	2284	wbengine.exe
Token: SeSecurityPrivilege	2284	wbengine.exe
Token: SeManageVolumePrivilege	2372	SearchIndexer.exe
Token: 33	2020	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2020	wmpnetwk.exe
Token: 33	2372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2372	SearchIndexer.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeDebugPrivilege	3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeDebugPrivilege	2540	aspnet_state.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe
Token: SeShutdownPrivilege	1468	mscorsvw.exe
Token: SeShutdownPrivilege	2112	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1128	EhTray.exe
1128	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1128	EhTray.exe
1128	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
292	SearchProtocolHost.exe
292	SearchProtocolHost.exe
292	SearchProtocolHost.exe
292	SearchProtocolHost.exe
292	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
2280	SearchProtocolHost.exe
292	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 272	1468	mscorsvw.exe	50
PID 1468 wrote to memory of 272	1468	mscorsvw.exe	50
PID 1468 wrote to memory of 272	1468	mscorsvw.exe	50
PID 1468 wrote to memory of 272	1468	mscorsvw.exe	50
PID 1468 wrote to memory of 2928	1468	mscorsvw.exe	56
PID 1468 wrote to memory of 2928	1468	mscorsvw.exe	56
PID 1468 wrote to memory of 2928	1468	mscorsvw.exe	56
PID 1468 wrote to memory of 2928	1468	mscorsvw.exe	56
PID 1468 wrote to memory of 860	1468	mscorsvw.exe	58
PID 1468 wrote to memory of 860	1468	mscorsvw.exe	58
PID 1468 wrote to memory of 860	1468	mscorsvw.exe	58
PID 1468 wrote to memory of 860	1468	mscorsvw.exe	58
PID 2372 wrote to memory of 292	2372	SearchIndexer.exe	59
PID 2372 wrote to memory of 292	2372	SearchIndexer.exe	59
PID 2372 wrote to memory of 292	2372	SearchIndexer.exe	59
PID 2372 wrote to memory of 1144	2372	SearchIndexer.exe	60
PID 2372 wrote to memory of 1144	2372	SearchIndexer.exe	60
PID 2372 wrote to memory of 1144	2372	SearchIndexer.exe	60
PID 1468 wrote to memory of 2428	1468	mscorsvw.exe	61
PID 1468 wrote to memory of 2428	1468	mscorsvw.exe	61
PID 1468 wrote to memory of 2428	1468	mscorsvw.exe	61
PID 1468 wrote to memory of 2428	1468	mscorsvw.exe	61
PID 1468 wrote to memory of 1720	1468	mscorsvw.exe	82
PID 1468 wrote to memory of 1720	1468	mscorsvw.exe	82
PID 1468 wrote to memory of 1720	1468	mscorsvw.exe	82
PID 1468 wrote to memory of 1720	1468	mscorsvw.exe	82
PID 1468 wrote to memory of 1236	1468	mscorsvw.exe	63
PID 1468 wrote to memory of 1236	1468	mscorsvw.exe	63
PID 1468 wrote to memory of 1236	1468	mscorsvw.exe	63
PID 1468 wrote to memory of 1236	1468	mscorsvw.exe	63
PID 1468 wrote to memory of 1344	1468	mscorsvw.exe	64
PID 1468 wrote to memory of 1344	1468	mscorsvw.exe	64
PID 1468 wrote to memory of 1344	1468	mscorsvw.exe	64
PID 1468 wrote to memory of 1344	1468	mscorsvw.exe	64
PID 1468 wrote to memory of 1776	1468	mscorsvw.exe	65
PID 1468 wrote to memory of 1776	1468	mscorsvw.exe	65
PID 1468 wrote to memory of 1776	1468	mscorsvw.exe	65
PID 1468 wrote to memory of 1776	1468	mscorsvw.exe	65
PID 1468 wrote to memory of 1964	1468	mscorsvw.exe	66
PID 1468 wrote to memory of 1964	1468	mscorsvw.exe	66
PID 1468 wrote to memory of 1964	1468	mscorsvw.exe	66
PID 1468 wrote to memory of 1964	1468	mscorsvw.exe	66
PID 1468 wrote to memory of 1884	1468	mscorsvw.exe	67
PID 1468 wrote to memory of 1884	1468	mscorsvw.exe	67
PID 1468 wrote to memory of 1884	1468	mscorsvw.exe	67
PID 1468 wrote to memory of 1884	1468	mscorsvw.exe	67
PID 1468 wrote to memory of 2976	1468	mscorsvw.exe	74
PID 1468 wrote to memory of 2976	1468	mscorsvw.exe	74
PID 1468 wrote to memory of 2976	1468	mscorsvw.exe	74
PID 1468 wrote to memory of 2976	1468	mscorsvw.exe	74
PID 1468 wrote to memory of 2320	1468	mscorsvw.exe	69
PID 1468 wrote to memory of 2320	1468	mscorsvw.exe	69
PID 1468 wrote to memory of 2320	1468	mscorsvw.exe	69
PID 1468 wrote to memory of 2320	1468	mscorsvw.exe	69
PID 1468 wrote to memory of 1908	1468	mscorsvw.exe	70
PID 1468 wrote to memory of 1908	1468	mscorsvw.exe	70
PID 1468 wrote to memory of 1908	1468	mscorsvw.exe	70
PID 1468 wrote to memory of 1908	1468	mscorsvw.exe	70
PID 1468 wrote to memory of 532	1468	mscorsvw.exe	71
PID 1468 wrote to memory of 532	1468	mscorsvw.exe	71
PID 1468 wrote to memory of 532	1468	mscorsvw.exe	71
PID 1468 wrote to memory of 532	1468	mscorsvw.exe	71
PID 1468 wrote to memory of 2052	1468	mscorsvw.exe	72
PID 1468 wrote to memory of 2052	1468	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 1f0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 240 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1f0 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 290 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 294 -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 250 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 288 -NGENProcess 26c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 250 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 294 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d8 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 29c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 29c -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1e8 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 23c -NGENProcess 28c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d0 -NGENProcess 21c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2b0 -NGENProcess 270 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 26c -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 1d0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f0 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 270 -NGENProcess 26c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2ac -NGENProcess 1d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1d0 -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 294 -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 26c -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1f0 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2b8 -NGENProcess 2ac -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2ac -NGENProcess 280 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c0 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c8 -NGENProcess 280 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 280 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 288 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ec -NGENProcess 274 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 274 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2ec -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2fc -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2fc -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2fc -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 314 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 318 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2fc -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 318 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 2fc -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 318 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 318 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 388 -NGENProcess 314 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 208 -NGENProcess 388 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 2b8 -NGENProcess 390 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 37c -NGENProcess 2fc -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 398 -NGENProcess 388 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 390 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 37c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 388 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3ac -NGENProcess 37c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 37c -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3b4 -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 37c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 37c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c4 -NGENProcess 3d0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b0 -NGENProcess 39c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3d0 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 39c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3cc -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 39c -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3d0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 39c -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3cc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3cc -NGENProcess 3fc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:824

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1144
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2280

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
835c087bb800dea8335aa24526211dd6

SHA1
ab5d189880266b0ec9b5c3095757799004db9fad

SHA256
021f6cc25488838a09584d856c1d8141cc0e219500be709f1ee1f58d79948da7

SHA512
ba116c672072bc429c6d318f64a7f455689f2e8292776421b27687a4a6ed9f9e6b58731ce4ae66b4375c541c36fe02e5d7d9a16926b437eb1970a89fa79fc754

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
b2899d909800200c22ab7f7d9211908d

SHA1
5be051eb740e77131df79ffef3d7fb0cc9143fec

SHA256
79bb39243f0e2b554f16e40154cd4541d6de64f29784e9f9cc6f8c9ccc8d89d9

SHA512
33749572e40dec770ade5452ca23629d0cdf8038ff31927e5ae1423ea5d2cf0d1ef7315e14d10fc3b656d3aeab773ae0d02ce28e7d298d55e8595f424482fde5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
40f88b3b20f4f079dceed22094f76338

SHA1
80ffc150070ffa9481d248337f7b11caee87985c

SHA256
d1220f5776d6ecef6c655869e5dc97b02968862be0bfee33cd0afa849b38905d

SHA512
f6273ec530a797c79b5c9d7f916dc7770d51b7ddf3cf361d64de5596fc475db24f2d22eeaca07d47c60b7e7308c53dfcb397fb05f34d6c89fb2fc85c13c937e5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
06c6626896e89e64be715fbedaba30d3

SHA1
39d6887ff1af806912b0661bfc6431c79c97f6d3

SHA256
0ec1a3a1d636829fea294c2110339093b185a558ede43a509fe6289c325d73aa

SHA512
487fbd4b101539099744581faec10b993107503a1856c4d22024d6b29fb035c4000644d19de58cd6efe72eb404782ee4ee8d96fd5c07c76e5be62766e053610e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a5ab2e341f4d2cc324a88d219fb89cf2

SHA1
9d0856b28cb702558d27849c9bd843dc214d2392

SHA256
216dc8d41f59404797fde837b8381c642d8fa25931b9ff83e37e8ada925f7615

SHA512
31b99a93e6b556d52dd8f4b73494498862e884b99b3afa9c881b9226dd782bf9fc6e1fc9197696eeb415c1f903e83fe59b2a84c191ea3c565fda5d817314c4c5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
1a8dc331ff65c5e1fd014edaf0ad17d9

SHA1
911ff59171b099b4c5bcc8af48b90429f01a549e

SHA256
d3fcff40c643fe46c1da2de6ac392caf3e7bd2c53f580a3b9a106cd4a9fa88d8

SHA512
a272329b394cb9bf0a5149edd8056d5db848c0a95e1aaa47d4917f0f07154832d6580580914fc29edda548131bf8d28e0b799ca93cd8a5bd3b0dd7dd234ed345

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d44f5381be54cdbec1ea03f0fb9b8bd6

SHA1
ced187f8d63d4442071bd6c24c14afaa9458bdcf

SHA256
da81d53481373f5f71f161dd6edf1131709a07895b6ed6a2dff7b309e033363f

SHA512
383af0bd305bc1d037616fa366c43f2042cc881be5ee8630cdd23857d6a02c6d7cf3f13a57b72a39dc65ebace2873394ce7c3ad1466b68dc9a60b4332f6212fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
a253a24e4ccdf53c7cbfe4105245dfca

SHA1
a495c5f13741a909689147f7dc39ac298b37158d

SHA256
86996c90252062a4c6f31f10478d678f34c6746cca1bd48bab2323d1796c2f28

SHA512
efbecbfb457c881a75ee60914b21176d4f5513d636749b05fb323ece316eaffe236681fb80ac070fea6d3038068ca235af00979276b77656382d05a404ef68c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
e2e9cdeff3587a1c4cd91b1528fccccf

SHA1
d3510a0cda3bddeeeb04b7ef59f54f3e854a9c31

SHA256
d1c6a74b85621fad905977b1c8e76c80e15cab711b5ea9bcf11b5302fd5b40df

SHA512
6c994638d3721e1c4e421650998c1fda4df0838d81db63c05eefc1b2ec969e44b157cecfd22c557c766f78089382689f0eee40b616a527943e211f894060fd54

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5f89ff5c0978b8fe9240d934921be8e6

SHA1
9a6d9a46b48c8c7c32214265b3310d50c525401d

SHA256
ec461a29eb7bbc2d50bc1288901673a547528ef6d9d8f8a1e1f9e275934364c0

SHA512
ec8cd558ae4bb0c36f4c3c5c4538e914cad5ced72b5c4aaddce6251f3346078e3b65bd0c64756794b2dae4e2aed6c04881fb419d57d55800aee974f6d5e9e1f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
d63cad74744c2c60b2838d1222f9d9de

SHA1
d33921e530e3aa30baddb086246fe4dbd9165e0b

SHA256
b2676e061454e2b3d8214caaec8f807c992dce333d3794e2935ac9c4fc43fb7b

SHA512
aee01daea73ddf1917d6f2c56830a380b76a55aad13d185fac2eacce21ce8ad7a8008b2bb5f136b246614a553453ece9e7031a87ad755a58b9a825e8b058a2fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
3f4d3685ed712ec307cc3809d6a5d6ee

SHA1
40a615f81f31d4a9c42d0058bbaf0e0c705eb61d

SHA256
4d31db9947c182846f4e21b114443bbfd45a8aee3f42ad55518acd57122d3249

SHA512
dd3a262392df9b7c3e995aad8f6efd51ccd7165f02efad2eac8b28b6bbc096785945ce1a13000e70fae6d5c048aae8e6d5aa844bd6fa6164e461fdb7606fff3a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
5f038a8ebf48362b5c2fe614f3bafc1e

SHA1
36eee135dc755cd77c2e54dce138de28d9b22d4a

SHA256
75075640681bf05d84249af263d5e4a2b17db20139f26125ccf325b4e9975edd

SHA512
1e1d7ac99e2693929f6728ef8e0703552bccaf4acd75abaf73625b2e50d9859229466bff6b9bc057b4b7b584c150d4d4367db99f98d83e06b50e5eda845a5d29

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d469619cf1e5a5a1567aeed18d303090

SHA1
e4c3a710a9ec4893cec7e0febc80eb5c5f54d390

SHA256
2bd75e7429a7929823c64a5ca6f9b59cf6eb6fb0fe4f018a28e98bf2e6f7afbc

SHA512
a8affff11680787ee7293037a639c57ae69eb1e3fb50af6b6710a6bc7029ab9e41d324566888b2253913eb53c62bcc477c7fb5b1373216b07ee5401936f1564a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
923f9ccd18b2c21b50171b903dc0323c

SHA1
2cc2b042bc5acccee8b0229ce089a0b497d7a641

SHA256
ea470b80d976e1e2820c12a1e4b29a94948fd98db6e1c68987705a7da18a91eb

SHA512
0d9c0ce55e21efbf15e167909c6a97d029e1b61bfd7651c26aea62116b3c41e4a5f9c3c54ca4b2588fba7ebd19b78a94c3fe798c6ebdbd0dab627ecfe5073a79

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
e549f0758f6ea1ffa724f97ec120d390

SHA1
0f5f964254c56d71a5717f6be1e95a5e13a0d56e

SHA256
d4490cf410495a6022116ff936a6b8312568c24b757678af2204c9181bf4aeed

SHA512
63a11f5421e0603e3e0e7962d431bed5999741cbe15befa28045333085b08b7678d61f478045a38ba9e4222247e0f70ad994f8c44ffa68fa25d036d9cf5b4e31

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
26187858401baa77ac3df2e4ccfcfd6e

SHA1
5978e230ff730c14b9d37bbfe2472cdc318569ea

SHA256
452398d71c9fad1e655544936056bc4476ba37bf6b54d2dfc645df2157e559c1

SHA512
4792abbe5d3adedd289e930ea49bbd2cbe64643708b3e7a5697ff5211d05060bc1d5efca000dd93fbdd6bb9076ee6569c9217a55460a895516815f6a9c5f1541

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3854bef5ca1fdd9976e02f5a51cdfd6e

SHA1
89ac9a5108aced0c251cc858d2d9b313d9a2e764

SHA256
f2f8412059218c0a8a72fe5acb3fbb8e924d2856f89d5db7ff17d4ce718b78eb

SHA512
d790a6534b65562e26ac8ca55b8b4985c6d17d1eb175d7a90d46d32935d93f23b5b1668f8c451cb90786b453eb927e0dc4578f8108e66df6b49789901e0098e0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
989f89a5b6c73093624a50dc330de2d7

SHA1
19d478f11d8024c311b845cc75afdb6657b5fba7

SHA256
1975be10e8577f653064d8d2b8b2289ea86a12d19ef42ef588802fbe7f141bbc

SHA512
0f2ca2eefae9f7467c289ac02d7c65687ae71e7eddd3602593a8c462fbe2436355cb5d52aa5437fce5894a2a4c80a417713bf12fb5950e4789641d73d2b52136

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
f3d48b86ab3fbef9341cab63095b43c3

SHA1
de0f6e5424313a40ce74dcffc5da17529a93a5d6

SHA256
e14c65de2353901be2b47dbf987f408de81eef142e26a888ede0e03aee309b0d

SHA512
146ef46381221b0b1477f7ca076b73023e1c6d655196d3d95a3a711e31948575bb8e777738a791d6589708b476efe1bbe3303c9a30adbb28e5c4af6481cdf7db

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
06ea5f5a3dfc4f19b185879c4ff787a1

SHA1
3481560850ed731b5d59c16de881df86cb2030c2

SHA256
d282f9d3a081aa9428d6b6710027ef1589cf0b7cddfe36eb159d5cea3ee95f01

SHA512
99c091724f0241378818032233d144ef097fb25d2cb94c8abc79bf8d894198c2205e730d027f1a7e85a0b3e60e96fb30a7d95f1a699a4a2f51c45a937c60515b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d1a4a9fb0cc71ce65bae67050b45d18f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
a85adc3aed8ff6cec0f3ddc1e12c705f

SHA1
402ead07e38df1ae0f77cb60b471ebb389b47274

SHA256
99c1d2a3b551f9ab99ae7b87a0d174fd4150f7a63c43a89fcfc1a88898a3d140

SHA512
529e2be43e5475cfbdf40fb7ad3818774225ba09dfdc24d5564951ccfe3b7a465e0736fe162dbd53175c51324583d90e7cd8b99e8958d2948149b51ce64a787d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d91ab5514fc768c73a040e331e600a5c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
cc6e00b360173ab86863f8c132fa60f0

SHA1
c60d70a4d0bf74ab2d1f7aed7dd1b72c208ee430

SHA256
e7869a63cf6c56d2d1ff238912162a63d7a27a91265e87197d1c22e9730376dc

SHA512
886ac5dc79e3ad84111984f5a0027da68ba9a4e6681792fc059928a4f43d5003b0e6c7f2710c456a745fc0c518d4df88b4b11f16de21859614c68c13b14a8edb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f2d3b5ebad3f0bde863abd1e0abc6743\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
c34e6daf72f030298a9b4c17e7e32c4b

SHA1
aa883a275a68f3f3805b9e78be2bcae501362060

SHA256
d09929c3f822a4af3813cd47486e65c732041c3c3276271cbb24e9b721fdae1a

SHA512
e690865a933883780e28d0d142c4a925a0a414d70013e52a5c8525387cbcd08009a2d9fa82c8d4132a59c0cf8a05d6e0bd45c443f0d7d8f393fe8245bea229e4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
e1a3127d1bd7e3703953206718841333

SHA1
abd78f9fed0e82aedd63bef9707c04f15c401574

SHA256
da90d8ec742e3ce6673152dd6c025f2eacd7dc976d9ed1013d0bda77687d4c75

SHA512
b6ea5b903df68a21a7adae711f01d4075ec691a43a41200d5cf89364a3701601934e0edfee5a0035cf8ad04e94b719e0ed1f546412546e9c34fbae632fb3b2b9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
998a0f523e14d3d2f155ed3af8dae814

SHA1
a6e2feedbcd166881a65b1de0a52f1025abb701a

SHA256
0b0f185e580a304b59a0cd99d2e392d0f0df6385f56809a9c68a682bdda36bc4

SHA512
b666a9b3ac3f33bd8058c88afd51e975d3e817570433b27b1478300c9a0867c6e26277010339e1fad99cf7b96d3ca5c35731cd4e558d87d04aeba665f5f65912

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
1e1305b89957d0000747664cfd52895e

SHA1
8f2e9218873b74be2409a7f8c087bb93601f4824

SHA256
d6922c53bba5c3da2effba5f0353f664f61d1ad60df4738125cb119795b0a499

SHA512
4be098cbd684cd2bafb9da235fc3a2e423a923a74462809c4c51109f43b1b2dfbf1b4f955801875fcceb19a983f545ac6e8344b777bb5ed84ec23d9f521433c6

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
302ebd854b1083b237ab0f9c9064770b

SHA1
9925f24f30109d03a72d1de8b71f66f6efba11c0

SHA256
72c83b2df25d7ef0c3725da7dfef57784093785fc996d247d5ac4e8ca835038f

SHA512
df08c3bbf180935b45b374c78f286eb4f99e9afd5042b85db7a7c53b51ad97b6bc86fbb40ec6ed91001900867ed6fbedabc964fe01cbd2ba128dc711a9bde3e2

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
37120bf6aa004898944b51be80fdf39f

SHA1
afe6c7e4b673a2c20ebd35cd3ac6a26a49906c89

SHA256
9f19cd7780e0c581fe0c911ffd75c3fbb4665d26a66dac77aeb50827c22e37e5

SHA512
5d1d7125344ae1b54daade84e46e7daad7a69885bd2b7911f037af7c081245c3575c78321321826e0de6b03284a44ec710dc04d70bf8e2afa4520e610dfe1df4

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
929c1d9604a82926f0465ddc6c18dbc9

SHA1
2ffc9f683dc9f67be438d594d8561c939f1a18b7

SHA256
cc9690cf09aae860bc02df8ffd7610d8882dcecfc420057afb6bb99db003264a

SHA512
737aa72353064c45d227bde994e538350b1d952b0e09ce43bbcf710a8e05442747104ccb6a36bbc34bf551ce5c92017eb5a421547661733a4fa46d2bd328992b

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
d8c4935e46feaf27e33fbc40db7d651d

SHA1
012b6e60d77c43d1b13c3ec96dd6cc4a4be6321f

SHA256
a2ab8f4005ef361761981439382629a57ea9044e4ad41dbd03d4ae76012b2253

SHA512
d0e0fa0546745302fe5ed3d9fd010165ccd5058816fd99a96a1d8f84df7ff122d05829986cf9abf9d497779b5bf3a15a47f1e603a925ea43c2344cc4832b7597

Download Submit
memory/268-223-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/268-447-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/272-284-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/272-229-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/532-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/532-643-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/824-207-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/824-114-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/824-113-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/824-120-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/860-307-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/860-417-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/996-171-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/996-162-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1016-488-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1016-226-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1236-511-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1236-490-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-220-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1316-161-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1344-519-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1344-513-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-67-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1468-66-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1468-73-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1468-181-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1544-693-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1696-261-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1696-185-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1720-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-496-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-709-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-716-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-128-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1744-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1776-533-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-595-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-572-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1908-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1964-548-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1964-563-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1984-198-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1984-281-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2020-270-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2020-591-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2052-667-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2052-662-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2112-184-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2112-91-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2112-85-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/2112-84-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2200-176-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2200-182-0x0000000000310000-0x00000000003C2000-memory.dmp

Filesize
712KB

Download
memory/2200-248-0x0000000000310000-0x00000000003C2000-memory.dmp

Filesize
712KB

Download
memory/2200-243-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2248-222-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2248-141-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2284-544-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2284-245-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2308-238-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2308-168-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2320-618-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-747-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-768-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-306-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2372-626-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2396-239-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2396-512-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2428-427-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2428-452-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-221-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2508-746-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2508-731-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2540-18-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2540-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2540-26-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/2540-140-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2584-64-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2584-36-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/2584-30-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2584-31-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/2620-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2620-127-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2672-196-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2672-108-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2672-102-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2672-101-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2708-211-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2708-305-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2736-571-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2736-249-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2808-723-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-736-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-773-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-765-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2928-296-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2952-757-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2964-82-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2964-53-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2964-48-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2964-46-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2976-713-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2976-599-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2976-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2976-688-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3036-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3036-100-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3036-8-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/3036-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download