0665181866ae747a4ab391f4b437f538c9b70c744bdfeed68ca0b816e67ee1e4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Size

1.4MB
MD5

807b33d1d1846875c0ee81cb3f1cbb3f
SHA1

39687a8ac6e64b469e5225940af0b42c329145f4
SHA256

0665181866ae747a4ab391f4b437f538c9b70c744bdfeed68ca0b816e67ee1e4
SHA512

0783ba05ef7cb20e647cf7fe5bb5fa3649e257eef840430858b7a5ecef9341af1c7f6020304e5b223aaac82f7dd482725d1d8d1273c3ce18de9b1ac93c53fbb2
SSDEEP

24576:A6B1RVldlnXfH9gPwCn7vOb7HHcp/CGXQp:NB1RVlbnXf9gPTTW7H1GXC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2896	alg.exe
2132	aspnet_state.exe
2796	mscorsvw.exe
2828	mscorsvw.exe
2568	mscorsvw.exe
2872	mscorsvw.exe
3020	ehRecvr.exe
2732	ehsched.exe
1436	elevation_service.exe
2260	IEEtwCollector.exe
556	GROOVE.EXE
2376	maintenanceservice.exe
2360	msdtc.exe
1356	msiexec.exe
900	OSE.EXE
2224	OSPPSVC.EXE
1940	perfhost.exe
1592	locator.exe
2076	snmptrap.exe
2668	vds.exe
2904	vssvc.exe
2512	wbengine.exe
1616	WmiApSrv.exe
2884	mscorsvw.exe
3032	wmpnetwk.exe
576	SearchIndexer.exe
332	mscorsvw.exe
2024	mscorsvw.exe
1932	mscorsvw.exe
2976	mscorsvw.exe
848	mscorsvw.exe
2280	mscorsvw.exe
1452	mscorsvw.exe
1984	mscorsvw.exe
2488	mscorsvw.exe
928	mscorsvw.exe
1736	mscorsvw.exe
1352	mscorsvw.exe
1292	mscorsvw.exe
1448	mscorsvw.exe
2976	mscorsvw.exe
2276	mscorsvw.exe
3044	mscorsvw.exe
1132	mscorsvw.exe
1720	mscorsvw.exe
1808	mscorsvw.exe
2880	mscorsvw.exe
1980	mscorsvw.exe
2692	mscorsvw.exe
2220	mscorsvw.exe
768	mscorsvw.exe
2052	mscorsvw.exe
2084	mscorsvw.exe
1380	mscorsvw.exe
2476	mscorsvw.exe
1584	mscorsvw.exe
2416	mscorsvw.exe
524	mscorsvw.exe
2740	mscorsvw.exe
972	mscorsvw.exe
2296	mscorsvw.exe
2944	mscorsvw.exe
2824	mscorsvw.exe

Loads dropped DLL 56 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1356	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
752	Process not Found
2476	mscorsvw.exe
2476	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
2740	mscorsvw.exe
2740	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
2156	mscorsvw.exe
2156	mscorsvw.exe
2740	mscorsvw.exe
2740	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe
2268	mscorsvw.exe
2268	mscorsvw.exe
468	mscorsvw.exe
468	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2576	mscorsvw.exe
2576	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
2156	mscorsvw.exe
2156	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
1860	mscorsvw.exe
1860	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
1608	mscorsvw.exe
1608	mscorsvw.exe
1860	mscorsvw.exe
1860	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\6af4f40e43e3c333.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP87F5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8131.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8288.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC909.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP866F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8739.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8382.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8891.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8C29.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000808b1b592abfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{20C15C59-AFE8-49E6-AE82-06536897EFAB}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020d7ff5b2abfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2228	ehRec.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: 33	764	EhTray.exe
Token: SeIncBasePriorityPrivilege	764	EhTray.exe
Token: SeDebugPrivilege	2228	ehRec.exe
Token: 33	764	EhTray.exe
Token: SeIncBasePriorityPrivilege	764	EhTray.exe
Token: SeRestorePrivilege	1356	msiexec.exe
Token: SeTakeOwnershipPrivilege	1356	msiexec.exe
Token: SeSecurityPrivilege	1356	msiexec.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeBackupPrivilege	2512	wbengine.exe
Token: SeRestorePrivilege	2512	wbengine.exe
Token: SeSecurityPrivilege	2512	wbengine.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: 33	3032	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3032	wmpnetwk.exe
Token: SeManageVolumePrivilege	576	SearchIndexer.exe
Token: 33	576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	576	SearchIndexer.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeDebugPrivilege	2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Token: SeDebugPrivilege	2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Token: SeDebugPrivilege	2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Token: SeDebugPrivilege	2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Token: SeDebugPrivilege	2176	2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeDebugPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe
Token: SeShutdownPrivilege	2568	mscorsvw.exe
Token: SeShutdownPrivilege	2872	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
764	EhTray.exe
764	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
764	EhTray.exe
764	EhTray.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe
908	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2884	2872	mscorsvw.exe	53
PID 2872 wrote to memory of 2884	2872	mscorsvw.exe	53
PID 2872 wrote to memory of 2884	2872	mscorsvw.exe	53
PID 2872 wrote to memory of 332	2872	mscorsvw.exe	57
PID 2872 wrote to memory of 332	2872	mscorsvw.exe	57
PID 2872 wrote to memory of 332	2872	mscorsvw.exe	57
PID 576 wrote to memory of 908	576	SearchIndexer.exe	58
PID 576 wrote to memory of 908	576	SearchIndexer.exe	58
PID 576 wrote to memory of 908	576	SearchIndexer.exe	58
PID 2568 wrote to memory of 2024	2568	mscorsvw.exe	59
PID 2568 wrote to memory of 2024	2568	mscorsvw.exe	59
PID 2568 wrote to memory of 2024	2568	mscorsvw.exe	59
PID 2568 wrote to memory of 2024	2568	mscorsvw.exe	59
PID 576 wrote to memory of 1992	576	SearchIndexer.exe	60
PID 576 wrote to memory of 1992	576	SearchIndexer.exe	60
PID 576 wrote to memory of 1992	576	SearchIndexer.exe	60
PID 2568 wrote to memory of 1932	2568	mscorsvw.exe	61
PID 2568 wrote to memory of 1932	2568	mscorsvw.exe	61
PID 2568 wrote to memory of 1932	2568	mscorsvw.exe	61
PID 2568 wrote to memory of 1932	2568	mscorsvw.exe	61
PID 2568 wrote to memory of 2976	2568	mscorsvw.exe	62
PID 2568 wrote to memory of 2976	2568	mscorsvw.exe	62
PID 2568 wrote to memory of 2976	2568	mscorsvw.exe	62
PID 2568 wrote to memory of 2976	2568	mscorsvw.exe	62
PID 2568 wrote to memory of 848	2568	mscorsvw.exe	63
PID 2568 wrote to memory of 848	2568	mscorsvw.exe	63
PID 2568 wrote to memory of 848	2568	mscorsvw.exe	63
PID 2568 wrote to memory of 848	2568	mscorsvw.exe	63
PID 2568 wrote to memory of 2280	2568	mscorsvw.exe	64
PID 2568 wrote to memory of 2280	2568	mscorsvw.exe	64
PID 2568 wrote to memory of 2280	2568	mscorsvw.exe	64
PID 2568 wrote to memory of 2280	2568	mscorsvw.exe	64
PID 2568 wrote to memory of 1452	2568	mscorsvw.exe	65
PID 2568 wrote to memory of 1452	2568	mscorsvw.exe	65
PID 2568 wrote to memory of 1452	2568	mscorsvw.exe	65
PID 2568 wrote to memory of 1452	2568	mscorsvw.exe	65
PID 2568 wrote to memory of 1984	2568	mscorsvw.exe	66
PID 2568 wrote to memory of 1984	2568	mscorsvw.exe	66
PID 2568 wrote to memory of 1984	2568	mscorsvw.exe	66
PID 2568 wrote to memory of 1984	2568	mscorsvw.exe	66
PID 2568 wrote to memory of 2488	2568	mscorsvw.exe	67
PID 2568 wrote to memory of 2488	2568	mscorsvw.exe	67
PID 2568 wrote to memory of 2488	2568	mscorsvw.exe	67
PID 2568 wrote to memory of 2488	2568	mscorsvw.exe	67
PID 2568 wrote to memory of 928	2568	mscorsvw.exe	68
PID 2568 wrote to memory of 928	2568	mscorsvw.exe	68
PID 2568 wrote to memory of 928	2568	mscorsvw.exe	68
PID 2568 wrote to memory of 928	2568	mscorsvw.exe	68
PID 2568 wrote to memory of 1736	2568	mscorsvw.exe	69
PID 2568 wrote to memory of 1736	2568	mscorsvw.exe	69
PID 2568 wrote to memory of 1736	2568	mscorsvw.exe	69
PID 2568 wrote to memory of 1736	2568	mscorsvw.exe	69
PID 2568 wrote to memory of 1352	2568	mscorsvw.exe	70
PID 2568 wrote to memory of 1352	2568	mscorsvw.exe	70
PID 2568 wrote to memory of 1352	2568	mscorsvw.exe	70
PID 2568 wrote to memory of 1352	2568	mscorsvw.exe	70
PID 2568 wrote to memory of 1292	2568	mscorsvw.exe	71
PID 2568 wrote to memory of 1292	2568	mscorsvw.exe	71
PID 2568 wrote to memory of 1292	2568	mscorsvw.exe	71
PID 2568 wrote to memory of 1292	2568	mscorsvw.exe	71
PID 2568 wrote to memory of 1448	2568	mscorsvw.exe	72
PID 2568 wrote to memory of 1448	2568	mscorsvw.exe	72
PID 2568 wrote to memory of 1448	2568	mscorsvw.exe	72
PID 2568 wrote to memory of 1448	2568	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_807b33d1d1846875c0ee81cb3f1cbb3f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e0 -NGENProcess 1e4 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1e4 -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 26c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 1e4 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 1e4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 1e4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 294 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 1e4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 1e4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 1e4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 15c -NGENProcess 160 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1a4 -NGENProcess 14c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 1fc -NGENProcess 1e8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 200 -NGENProcess 1d4 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 204 -NGENProcess 14c -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 208 -NGENProcess 1e8 -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 14c -NGENProcess 1e8 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 214 -NGENProcess 20c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 20c -NGENProcess 208 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 21c -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1e8 -NGENProcess 214 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 224 -NGENProcess 208 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 208 -NGENProcess 21c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 22c -NGENProcess 214 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 224 -NGENProcess 234 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1f0 -NGENProcess 214 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 214 -NGENProcess 230 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 23c -NGENProcess 234 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 214 -NGENProcess 238 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 228 -NGENProcess 240 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 214 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 21c -NGENProcess 240 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 228 -NGENProcess 254 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 230 -NGENProcess 240 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 240 -NGENProcess 250 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 264 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 254 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a8 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 288 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 2a4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 298 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c8 -NGENProcess 2ac -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2ac -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ec -NGENProcess 2d8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d0 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2c0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 298 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2c0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2d8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 298 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2c0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c0 -NGENProcess 300 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 310 -NGENProcess 298 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 298 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 300 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 298 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 298 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 298 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 320 -NGENProcess 338 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 340 -NGENProcess 330 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 338 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 34c -NGENProcess 348 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 298 -NGENProcess 330 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 358 -NGENProcess 344 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 348 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 330 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 330 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 344 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 348 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 330 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 344 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 348 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 330 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 348 -NGENProcess 330 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 390 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2392

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2260

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:900

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:908
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bcf5ebf2b63688b6bfb283a1d346c991

SHA1
598c863de50c7c5acccb5885302e9c8290300941

SHA256
40b185479c886d367f3d7fc35e66ff09c18a3d5a47296c328d5d4d53a564175e

SHA512
f7e7f236281a6c34e6c346c3bf9fa778d6b83fd01cf3727b342b1292fc2e98897831431130e6c33dcbc62bf5f78308438d469e5d4635b398d7087a94c1bd983c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2c66d57aa0b324490555bf3a015b570e

SHA1
6a0c3c1c027fcbd012957c28ceae8bbfb44ab4d7

SHA256
4546b3c3658d4b0e5268a5df83c6fb1007768ece92e39c3d9d5362c0904bb3eb

SHA512
dee5770fca9335cccf2726f323fff5bac0d5b338e209f152b37b4bd5d67d866dd395da98c7487ef0143457e30ebd969b7c1ba14d210c89e2b9c4de0e52e32ff7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9f378a52db826e562fe6354d5f445837

SHA1
85f44cac997447d6871bb5ac032d1f5cf375b68f

SHA256
f16f3d8863e66d91b9cc44be73c8eab64e61f91b8465076af2f46fdb592d0c85

SHA512
7c38f9c9c2bda2f2bb0e45dcc25c937c16265491e5c5b440075243671ece255678198b868d56bf81627a171b1da04c1ba995e4ce3a8af96e5bde554533f7fa83

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
07f124aa8392698e0dda6689677529fc

SHA1
f39d884873b8b642cbddd525612ccc8cf92dd365

SHA256
56b3d55893d5dd2534501d24c49cfe361bd3826b7e065767467421759599dd76

SHA512
f781edeb1a7b657119052a705179393c6ff175b9138cc0e29ac60c049628000f86167f580bf2e802081a24040660a7f900d6b5b891b4f5ced926cf3ce32e9430

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9bb0cb33beda843918325b9222253f52

SHA1
a174990f043df592e6a2b78240bf336fe2cb5de7

SHA256
9247571a4f66cc7bcac89a06a295665e2af0c4cc93aa6f336d92624e0a6edba8

SHA512
c17145a32477a50604c3a004f2b67fabe311d87c9a225422b3175d02c493d0bc45e201c3dd4710aeb7b26928c9f00f95bab19d90596e272df1703cf1ac57c992

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
f5b10799a616dd521a007cffeb92b9ef

SHA1
c6eae24297ddb12673ed3617536b0b79e082ae85

SHA256
293347c594baa34bc956d54f5ee37b4b8f8e930c2e538793682883dd588d3eeb

SHA512
913b1e139fa7f62acf36c833f1fe8b61aba9f1604eec93a6208e67f5f7f2a6fc7d1aceb287904505e412266a0fd86746839e314405683b047e3ed0cf7ea6f3ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fbcaf3a1fb860891a035f0cbef7aecb2

SHA1
1de0f96307d8c1cc310e856d8ba93a801694a30d

SHA256
ae830b92c3b27250973d6b9c749ff482e35a9da9b32340fc163b97381bcdb5fe

SHA512
be1e69a4a902d9ce65d6d2f8d7e44a208bb54c25e00053ac480a1eaf5542ea75e936d235a44246a75f13f9c1463144824b07a2687fc41007d86d1bc796209a2c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
231d819b08ce24e92fa6d1bbb2db2d83

SHA1
23fc10671ce67bc133a095a3181c7df41cc14c72

SHA256
6989a22d2894017acfc20a6fa2dcec70471963ff355e8a4b403b8c1e10c68dba

SHA512
ed95571f99ac2045f2723e1559f11c2d7de6f24fdac624228ddbf90e283cf2f7596a9ae45676c99822f48a5b2393508fc9b33fa739b54a2b04bde4ec9d4d6794

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b8abc37028e1e7708222860519fd58bb

SHA1
2959ff9d9995c480ed8e42c5fb1c5b766378930d

SHA256
86c4fcd67d73a685a4bccc018e8bbc283ed83f72fac87ff9c6d80439f9e3f4d4

SHA512
a797d064054685ed60e0ca35079d9cd97cb08ae8c917d7c60ab2b4885fc13d4ac3d8ef4dbd1adb68a6c3db513e3775c3e2a5b14f60391e70e30466e8b1ffa92b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
450d15ddba6ec72f3539be400958e54a

SHA1
eacd3d45142d8f9868513e8ea302ef9e63ca2b4a

SHA256
79fdfc8acb21c12dfe7d115b6ea3b50aab5d48e97778f81b3d1f2d95e596a047

SHA512
357182fdf0c44b1d68db6127256f0d956ca679b6a77786faf218bc901db2b6d265e991f9f30f7bb685d33915efa8d38e4791fa1e16f8455c8332d1c80c1a653c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bd86005dc52b67d36638531e60decc21

SHA1
a87a8c907585d45825bb367d367cf2085063cfc0

SHA256
90bcac2131fcd5750696baa1c0997cc0e1b834e7991f9c3c9c1d27503a09445f

SHA512
63d863734c820e46708958d6e9c2727a95d445c2acb028bcaf09d00ad98ae11aadb137ce37b320ea2f28b34508795575c17bcddd022517eb34cf380284ea996e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ac1e339165616d9136a548eac1fa05d0

SHA1
6651a2352ee2eac94c6ea7808f73003fb7978f2a

SHA256
388f2c98743e86cdc325f31b96a2eab7667cb370db560e449c35f8a9e935f9e2

SHA512
f04394788a350371eeaf8af05d30cb999da37f8c3a10446fb124b9d5a490fde7a3732a6b280a79e1c4763e50cc6e0d67632008e3d4b2e6b2ef86fd584a0fecc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\6af4f40e43e3c333.bin

Filesize
12KB

MD5
77b7ffde28f6d4668928a4301e7b8915

SHA1
c112f2a5dc5da48e6198388c98366ef0e5ed1c0d

SHA256
facd3f7c96d0da87718a572a04c682a0eb8d3e2248ed09a75df238dde15327df

SHA512
2803cdc7520e642a29272616ee51035dca9fcaa7c725b0c68675a8e76cef2e7a38d493a6532882c0f8647336d7123cfea96b263df03c3bbc1700538b1f69bce5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
4613db1300518981ae4772f35145557f

SHA1
4e1636bc828aa5ffb258a941ded1d7d6918d9a83

SHA256
ae3783f1e9bb7cd6850c2436184f82cd9b77ef283d2682095f24206ed7214f5c

SHA512
7ba99b80a8da0c3b289967d1b8a40f70e05bd272acee3bc5e420a9b97d91417ed7ae6cf1b2728df696e2f6e193afa4d5c10b8ad08479b1b6eed3c7161498bb5b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
18fe69b680fd149509bbdb866c96bca5

SHA1
b3e5211295fea2bfd48748c786a3b86f693c10f9

SHA256
dde5538d38929d2b82a3d41f96b5522c0067d2b95e4f49f31161b489eb92935f

SHA512
94a6b07bdd3fea9aeea17383ce78307517b8fbe3666f1c109ef8cd2fe38228cc94887b202b9bee4a54ce59e556849d5df7c5ff4d11082d93db0a620ebe940787

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
a6a7d14caabd67152614612b64081e57

SHA1
c7fef7d33d3f507f9034dc5b32499f6092144bf2

SHA256
41a77011835fc85428de95d16d5992e5b70ac86289a3356d6da9dd41a915893b

SHA512
b16192c7976b43967badfcdef99d7c6724374e61fc1d50d20b5d0b95c4f7f3ed823f3618dddb9c515e261d4f46393ae9503b290373ff2c3aa1bd8710d3070d48

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
56824bdcd42a8582e744ce7b66fcde3d

SHA1
4d7672073f681a44bfba4cc3bf4bf7a41d1b4fba

SHA256
59a687657713f3e7cd330c91c23e050ce8f16f83889b02f5f3ce7b4c91921b19

SHA512
a751e04fb17bc41d087821b4b71d07dc3e9116c4185a97649b2c0026d12639a7df462fd64b38334faecf91b411cc26ec8dd82388541ef4a3967333cc18310126

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
939b1cba0fd11f36311d30959efacc14

SHA1
906e267a3305a9adad4919fb597824aa5e07b7d2

SHA256
fff161ba25ec98b0d0b26371a1ad37783ed48690e87c5c049238c767cf2715fe

SHA512
6af57bd362f3605f54fb1c355a4337d0ded62c0cb743487d83a383ff49b726f58dd6989415523791ddc1b1919081f5370b3583ea957ed4dd57cb6cf61243fa5f

Download Submit
C:\Windows\Temp\CabFDC0.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar252F.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5133f9d4cc491b9581f3f1c4a0bac392\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
7fad3c2c27097ae512ead240a762511c

SHA1
7a5c8d1b9ef6fce02f3cf8a228d3a85810c64f31

SHA256
f9c66424163951f531c6f49b195e415400c3f40e67fe81d5a97cd89beac4fac6

SHA512
6bea7d142f60ece4fa9908faf29b2f649483764b215e65ea0ea5d70ab0384c891e26bfc2f7ecf56b5b8439c44990cd1ab7afd71c1dde82a71964f98f24d9a28f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\94e2d6166db94daf348a9d16de202d5e\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
fce5dbb051d9a6e43285f7c8141c81df

SHA1
01733745d43782caeb22a73866454bb16b6f5ab0

SHA256
7cf63a2572c5487b85fea3f3dd7bccfb05879ee4e37a89ef3b815a40937a632e

SHA512
15a630b1d0956d32e4bd3df2b541c384dd31ec7019ad448d24a1ddff3cde32b27a4c3a7462db0d1abeb1a72b427205be91dabdc91fcaa17b612073da9313aff4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b4e82e7f08c205bea218eac4a575cd24\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
274de8d2dd81c382d486ff0f51cd6a45

SHA1
23d886644f88b18692c216a74a454bf04fa8bf47

SHA256
940a326b6fcc84c87c5042547208d6870b0de1cdb2b14113f99cc5f2954863f7

SHA512
5f185bdd0e2c1c09adae72ccc68697b66480b8e3cecf5ac8c2019a980034218ed6dc35cb87a1e072db652436f1cfd63ad8750b249ba01a601869965927c257f6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ba75fc3bc2c8d9501cdf076bb0059b72\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
6d45221cbc3a648b3078ec1115b8f7be

SHA1
f33e2eab06541ea69d94df472d71c0bf59799c88

SHA256
3044700f6f815c508ac7b0826a8d141c842ce17b88b40acac48c7b0263909d82

SHA512
054256fe9352be93db4bd48fa1d57b4af40e40e92a85f72f256e6eceb1c7f068495eea8008c3ba9444ab23179bd969b49defcd2f0ddd64c7f5a5f5c5cd6867df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
573918a67666e2335b92566b3715e3be

SHA1
eeaf26fb7ef868da611ce97e1cdb0f9d46d378d4

SHA256
640857f5c2e99d880a7bf4bdaf91ed78b338ce2741d83af344d7941c6f1d8cb3

SHA512
b356ad54b7000942953aa6fdac6af6fc2a26f3e9e534fa4b9730d41b7c0b7e63f100487cfd8364c62dba439b912276168030389d3d68a9a0a141df6fbc03fff2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
568466a45e528bd22e7b44de869bc43a

SHA1
9da087d24d09c633de957e5068cf45c13024c201

SHA256
204eaa49730a9ff2f78b0543ede63b87c0bae5cf8e3e90a3aa41cf1762d0f6c6

SHA512
1562852e31dc9ea7c6bb8f082c4946ec1084007a0ca46de3e5efcf19e7fe5c67b33f3fd8e88de81ce06c2275027e0acd9e70266c1b460bd8ca35e569296141f4

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
0e4c31b1d176efa9d172cfcad84a4940

SHA1
159ba5b70298bebe45bcbfd77d9d09ab0352586f

SHA256
5e1a460ab6d708feed4451b4a9192e16d40cacd88bcf0c2013717e186b1a40a3

SHA512
4d2a16d5727d143a3b4980033b1331ab51a80c52c3daffc3605392ec2ce7733c2d9550f8888a4f31b257166a3ee2f95cd8a7f8d562f7f183ec53e9d54487df03

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
68939c5cf7a8d524769cf47816a5ac12

SHA1
a568a018789a02446879be6b003f942f487ba479

SHA256
14f6a30ccd6f23e34dd361f7216e90d04de76221857d48bfffa2cde536098f5c

SHA512
81a233fa957acdea5ef4c1640cc2346dfb7a9f9d7baa41611b7d71b69a9ce1e3d8274915ca55d0c35bd50a5385f6f054b79e5d6cf8a328c16cc530802019d046

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
38df060549f8831c9126bf76380a6d82

SHA1
a98e51b456dfaf71d910c192d1f71b43b0ccfcd6

SHA256
d0df24858bc48549b3a24e4019ffdae84dee2887d4250363886e0b3cef6e4963

SHA512
5bc3444719841396987c81a78edd0840fbb93c88b1052ae681ee8cf7e5c3dd1439e8a5f601f15df1a17891f0f93151231fec74b52d80f6056ab775064497848d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7526352e7b89bdc7acd3dc4ba7f94180

SHA1
cbe7ee06a72f2808e1718798afdb81dc948a89e5

SHA256
c8f01269d965234859bf83921d74cc0dfce958eb2ae0ca9852d5ddf7616b0f8d

SHA512
7e9478bdff3103ec5e7c0679768cedbe95f7751a938dec2df48cb37b0334f1c22c5bb2d23f5201db4560e95ae79d7edb2df7bf56ad257860a503164596ef76b2

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7b8cb73cae2a863abfbb00f739b76ab2

SHA1
e0b371790b97e2b4c4aa0c380a651c2055e92a26

SHA256
a4fd8fd75aa9f23ab319a001570d0e28dddc455404062868f4f2265cb4cfc5eb

SHA512
83adefe3b453d042bcdb586fee39cf9d5bc41221331b9af85da8260e47f58f4674369a2207a6afe2a95b08aa27f2fcee0c3d3d9b6d4ce811ceebc896ce347f17

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.4MB

MD5
bcea8be3904fe7783b7ff0d38026b0d7

SHA1
943f041860b85cd9d03176939b72cc15b581871c

SHA256
863219fbfa46322466cd660fa034ea132dafa9783a2b2f451b18ce602d873385

SHA512
0f3daf3b49a172392ee310a509f3f4322d41a20b43842829f7a729f5ee502a95b6cf4fdfaaab925ce4ebd220fc9d339e861061e1feb662ad5829a90d0917ff49

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
8d000bdf8cd8cc13252363bea14a995b

SHA1
46b771de3f39ba253fd98b533c340eacaebb3867

SHA256
67f3dba1b37027dc9c4ecde349475161d4772777639ea8923ea20d66172a28d5

SHA512
67b6ec051396e787f4ed8f8c8ef9130b53a2f0cadfcc925fe1b3e7567fb66468308c422d5c4ab8049e72312fde11ad2a3aa66ed1ab59ed41075c2deccb6936fc

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
6ebb349aaec0e01c14d561a91994b636

SHA1
84554ecdf52c3b45f86ba7d2a1147692f4cf0c2a

SHA256
bc750d9a350bef2836b7a3715cb57256068523aa9e781f58ebb2c96084cc0f12

SHA512
2dd27ad76a80776e63ea41b3d8b4afa38ba044d303ca0203f9656d58ed7306a02bd8368b0617333837d18382460b58246ca8d83cf9d0a2b6612435baa07446a8

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
76f0bb6682722b6915574f6a238f4654

SHA1
6f2844ce91b64081daca932b6fa5b2c52f2c35c2

SHA256
597c66d99f8bd17e922a7b85cf763cf6d86490df18618535f50af7ca973a89dc

SHA512
26a4a967c3981e83f77f0025bfbd1430465b0d78e987535985c60e4c5b3f07975ef3578eaade852649fa0a2daae6cb5f08e7fdf6e81bf3f04d3ad2beca9f4b10

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.4MB

MD5
0db42f87d7c6e9386b645a0ac9b6d246

SHA1
3ded6ef9ee89c72b569d48ea702b3c001da322ac

SHA256
bb92409a3b9db734fd30ed2af09e5da5ded631c5ee0de4d412d94982901b2f46

SHA512
ae12f22befc87f4a61d9703fde8415ac661f1a0e55027e2c4e92bab9e6971cddf0a6c4a69cb60b3f2fbd6102ac536f4d0558df8fb11d713d28a7dfaba13b21ee

Download Submit
memory/332-269-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/332-360-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/556-124-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/556-201-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/556-126-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/576-261-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/576-612-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/848-532-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/848-542-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/900-160-0x000000002E000000-0x000000002E164000-memory.dmp

Filesize
1.4MB

Download
memory/900-235-0x000000002E000000-0x000000002E164000-memory.dmp

Filesize
1.4MB

Download
memory/928-625-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/928-613-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1132-715-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1132-710-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1292-645-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1292-656-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1352-650-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1352-631-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1356-219-0x0000000100000000-0x0000000100161000-memory.dmp

Filesize
1.4MB

Download
memory/1356-156-0x0000000000610000-0x0000000000771000-memory.dmp

Filesize
1.4MB

Download
memory/1356-153-0x0000000100000000-0x0000000100161000-memory.dmp

Filesize
1.4MB

Download
memory/1356-225-0x0000000000610000-0x0000000000771000-memory.dmp

Filesize
1.4MB

Download
memory/1436-102-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1436-110-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1436-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1436-108-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1448-657-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1448-668-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1452-584-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1452-570-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1592-192-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/1592-420-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/1616-220-0x0000000100000000-0x0000000100173000-memory.dmp

Filesize
1.4MB

Download
memory/1616-567-0x0000000100000000-0x0000000100173000-memory.dmp

Filesize
1.4MB

Download
memory/1720-733-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1720-723-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1736-620-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1736-630-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1932-453-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1932-477-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1940-272-0x0000000001000000-0x0000000001145000-memory.dmp

Filesize
1.3MB

Download
memory/1940-186-0x0000000001000000-0x0000000001145000-memory.dmp

Filesize
1.3MB

Download
memory/1984-598-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1984-585-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2024-419-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2024-456-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2076-196-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2076-452-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2132-118-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2132-17-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2176-8-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2176-0-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2176-1-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2176-87-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2176-6-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2224-174-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2224-259-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2260-115-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2260-195-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2276-693-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2276-688-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2276-689-0x0000000003CF0000-0x0000000003DAA000-memory.dmp

Filesize
744KB

Download
memory/2280-573-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2280-552-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2360-143-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/2376-149-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-138-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-136-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2376-130-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2488-595-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2488-611-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2512-550-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2512-207-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2568-49-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2568-155-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2568-54-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2568-48-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2668-488-0x0000000100000000-0x00000001001C3000-memory.dmp

Filesize
1.8MB

Download
memory/2668-202-0x0000000100000000-0x00000001001C3000-memory.dmp

Filesize
1.8MB

Download
memory/2732-91-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2732-98-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2732-88-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2732-183-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2796-20-0x0000000010000000-0x000000001014E000-memory.dmp

Filesize
1.3MB

Download
memory/2796-28-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2796-44-0x0000000010000000-0x000000001014E000-memory.dmp

Filesize
1.3MB

Download
memory/2796-21-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2828-38-0x0000000010000000-0x0000000010156000-memory.dmp

Filesize
1.3MB

Download
memory/2828-66-0x0000000010000000-0x0000000010156000-memory.dmp

Filesize
1.3MB

Download
memory/2872-65-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2872-159-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2884-226-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2884-278-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2896-114-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/2896-13-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/2904-204-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2904-531-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2976-674-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2976-679-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2976-487-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2976-520-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3020-90-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/3020-165-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3020-74-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3020-75-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/3020-81-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/3020-89-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/3032-594-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3032-246-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3044-704-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3044-694-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download