0ea86bdf47d5e37e926be529857707a37a9155deb34bbb54e1d712c0e42aefff

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Size

1.6MB
MD5

3407158de7ea665ec207138bbabcf2c7
SHA1

1f97a78d182f54bd2480b1326156b6686987bf03
SHA256

0ea86bdf47d5e37e926be529857707a37a9155deb34bbb54e1d712c0e42aefff
SHA512

8fe5a2c0179db0af7d6659469631d7fd4bea5c9ae12c95a88199c9c5b23a2dc88ead7af06e16bf161fda5cc0ce33ba4d8b18ad60585f8771c2b4879221cd95fa
SSDEEP

12288:vtOw6Bau7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:F6BfCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
3020	alg.exe
2636	aspnet_state.exe
2732	mscorsvw.exe
2568	mscorsvw.exe
1020	mscorsvw.exe
1844	mscorsvw.exe
1364	ehRecvr.exe
2228	ehsched.exe
380	elevation_service.exe
824	IEEtwCollector.exe
2276	GROOVE.EXE
2088	maintenanceservice.exe
2176	msdtc.exe
2156	msiexec.exe
1732	OSE.EXE
2660	OSPPSVC.EXE
1348	perfhost.exe
2480	locator.exe
1648	snmptrap.exe
2444	vds.exe
1944	vssvc.exe
2588	mscorsvw.exe
2320	wbengine.exe
1148	mscorsvw.exe
2148	WmiApSrv.exe
2564	wmpnetwk.exe
2488	SearchIndexer.exe
3056	mscorsvw.exe
1352	mscorsvw.exe
2448	mscorsvw.exe
1152	mscorsvw.exe
2160	mscorsvw.exe
1196	mscorsvw.exe
1300	mscorsvw.exe
1424	mscorsvw.exe
2848	mscorsvw.exe
2396	mscorsvw.exe
2540	mscorsvw.exe
3036	mscorsvw.exe
1292	mscorsvw.exe
1576	mscorsvw.exe
2088	mscorsvw.exe
2004	mscorsvw.exe
1500	mscorsvw.exe
1900	mscorsvw.exe
3052	mscorsvw.exe
2880	mscorsvw.exe
788	mscorsvw.exe
2888	mscorsvw.exe
1476	mscorsvw.exe
1008	dllhost.exe
632	mscorsvw.exe
2236	mscorsvw.exe
1532	mscorsvw.exe
2680	mscorsvw.exe
792	mscorsvw.exe
2804	mscorsvw.exe
872	mscorsvw.exe
3056	mscorsvw.exe
2140	mscorsvw.exe
2004	mscorsvw.exe
1860	mscorsvw.exe
2448	mscorsvw.exe

Loads dropped DLL 57 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2156	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
740	Process not Found
476	Process not Found
792	mscorsvw.exe
792	mscorsvw.exe
872	mscorsvw.exe
872	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
1860	mscorsvw.exe
1860	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
688	mscorsvw.exe
688	mscorsvw.exe
1352	mscorsvw.exe
1352	mscorsvw.exe
1684	mscorsvw.exe
1684	mscorsvw.exe
792	mscorsvw.exe
792	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
1472	mscorsvw.exe
1472	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
632	mscorsvw.exe
632	mscorsvw.exe
3036	mscorsvw.exe
3036	mscorsvw.exe
1404	mscorsvw.exe
1404	mscorsvw.exe
1156	mscorsvw.exe
1156	mscorsvw.exe
748	mscorsvw.exe
748	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
1404	mscorsvw.exe
1404	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ced5a3722ba452c3.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7B96.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP81CD.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP85D3.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF5B4.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8047.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{7C6279CB-540C-41CE-AAD7-55725E54E5C2}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0e2bfb7ebc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1904	ehRec.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
2636	aspnet_state.exe
2636	aspnet_state.exe
2636	aspnet_state.exe
2636	aspnet_state.exe
2636	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: 33	1996	EhTray.exe
Token: SeIncBasePriorityPrivilege	1996	EhTray.exe
Token: SeDebugPrivilege	1904	ehRec.exe
Token: SeRestorePrivilege	2156	msiexec.exe
Token: SeTakeOwnershipPrivilege	2156	msiexec.exe
Token: SeSecurityPrivilege	2156	msiexec.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: 33	1996	EhTray.exe
Token: SeIncBasePriorityPrivilege	1996	EhTray.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeBackupPrivilege	1944	vssvc.exe
Token: SeRestorePrivilege	1944	vssvc.exe
Token: SeAuditPrivilege	1944	vssvc.exe
Token: SeBackupPrivilege	2320	wbengine.exe
Token: SeRestorePrivilege	2320	wbengine.exe
Token: SeSecurityPrivilege	2320	wbengine.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: 33	2564	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2564	wmpnetwk.exe
Token: SeManageVolumePrivilege	2488	SearchIndexer.exe
Token: 33	2488	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2488	SearchIndexer.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeDebugPrivilege	348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Token: SeDebugPrivilege	348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Token: SeDebugPrivilege	348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Token: SeDebugPrivilege	348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Token: SeDebugPrivilege	348	2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeDebugPrivilege	3020	alg.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1020	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1996	EhTray.exe
1996	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1996	EhTray.exe
1996	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe
2372	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2588	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 2588	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 2588	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 1148	1844	mscorsvw.exe	53
PID 1844 wrote to memory of 1148	1844	mscorsvw.exe	53
PID 1844 wrote to memory of 1148	1844	mscorsvw.exe	53
PID 1020 wrote to memory of 3056	1020	mscorsvw.exe	58
PID 1020 wrote to memory of 3056	1020	mscorsvw.exe	58
PID 1020 wrote to memory of 3056	1020	mscorsvw.exe	58
PID 1020 wrote to memory of 3056	1020	mscorsvw.exe	58
PID 1020 wrote to memory of 1352	1020	mscorsvw.exe	59
PID 1020 wrote to memory of 1352	1020	mscorsvw.exe	59
PID 1020 wrote to memory of 1352	1020	mscorsvw.exe	59
PID 1020 wrote to memory of 1352	1020	mscorsvw.exe	59
PID 1020 wrote to memory of 2448	1020	mscorsvw.exe	60
PID 1020 wrote to memory of 2448	1020	mscorsvw.exe	60
PID 1020 wrote to memory of 2448	1020	mscorsvw.exe	60
PID 1020 wrote to memory of 2448	1020	mscorsvw.exe	60
PID 1020 wrote to memory of 1152	1020	mscorsvw.exe	61
PID 1020 wrote to memory of 1152	1020	mscorsvw.exe	61
PID 1020 wrote to memory of 1152	1020	mscorsvw.exe	61
PID 1020 wrote to memory of 1152	1020	mscorsvw.exe	61
PID 1020 wrote to memory of 2160	1020	mscorsvw.exe	62
PID 1020 wrote to memory of 2160	1020	mscorsvw.exe	62
PID 1020 wrote to memory of 2160	1020	mscorsvw.exe	62
PID 1020 wrote to memory of 2160	1020	mscorsvw.exe	62
PID 1020 wrote to memory of 1196	1020	mscorsvw.exe	63
PID 1020 wrote to memory of 1196	1020	mscorsvw.exe	63
PID 1020 wrote to memory of 1196	1020	mscorsvw.exe	63
PID 1020 wrote to memory of 1196	1020	mscorsvw.exe	63
PID 1020 wrote to memory of 1300	1020	mscorsvw.exe	64
PID 1020 wrote to memory of 1300	1020	mscorsvw.exe	64
PID 1020 wrote to memory of 1300	1020	mscorsvw.exe	64
PID 1020 wrote to memory of 1300	1020	mscorsvw.exe	64
PID 1020 wrote to memory of 1424	1020	mscorsvw.exe	65
PID 1020 wrote to memory of 1424	1020	mscorsvw.exe	65
PID 1020 wrote to memory of 1424	1020	mscorsvw.exe	65
PID 1020 wrote to memory of 1424	1020	mscorsvw.exe	65
PID 1020 wrote to memory of 2848	1020	mscorsvw.exe	66
PID 1020 wrote to memory of 2848	1020	mscorsvw.exe	66
PID 1020 wrote to memory of 2848	1020	mscorsvw.exe	66
PID 1020 wrote to memory of 2848	1020	mscorsvw.exe	66
PID 1020 wrote to memory of 2396	1020	mscorsvw.exe	67
PID 1020 wrote to memory of 2396	1020	mscorsvw.exe	67
PID 1020 wrote to memory of 2396	1020	mscorsvw.exe	67
PID 1020 wrote to memory of 2396	1020	mscorsvw.exe	67
PID 1020 wrote to memory of 2540	1020	mscorsvw.exe	68
PID 1020 wrote to memory of 2540	1020	mscorsvw.exe	68
PID 1020 wrote to memory of 2540	1020	mscorsvw.exe	68
PID 1020 wrote to memory of 2540	1020	mscorsvw.exe	68
PID 1020 wrote to memory of 3036	1020	mscorsvw.exe	69
PID 1020 wrote to memory of 3036	1020	mscorsvw.exe	69
PID 1020 wrote to memory of 3036	1020	mscorsvw.exe	69
PID 1020 wrote to memory of 3036	1020	mscorsvw.exe	69
PID 1020 wrote to memory of 1292	1020	mscorsvw.exe	70
PID 1020 wrote to memory of 1292	1020	mscorsvw.exe	70
PID 1020 wrote to memory of 1292	1020	mscorsvw.exe	70
PID 1020 wrote to memory of 1292	1020	mscorsvw.exe	70
PID 1020 wrote to memory of 1576	1020	mscorsvw.exe	71
PID 1020 wrote to memory of 1576	1020	mscorsvw.exe	71
PID 1020 wrote to memory of 1576	1020	mscorsvw.exe	71
PID 1020 wrote to memory of 1576	1020	mscorsvw.exe	71
PID 1020 wrote to memory of 2088	1020	mscorsvw.exe	72
PID 1020 wrote to memory of 2088	1020	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_3407158de7ea665ec207138bbabcf2c7_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1f4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 1ec -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 23c -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ec -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 26c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 25c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 270 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 248 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 250 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 278 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 28c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 200 -NGENProcess 204 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 254 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 204 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 244 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 280 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 244 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 248 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 260 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 248 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 29c -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2cc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2cc -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e4 -NGENProcess 2e8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 300 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 308 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2c4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2e4 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2c4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2c4 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2e4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2c4 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2e4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2c4 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 304 -NGENProcess 358 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 368 -NGENProcess 2c4 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2c4 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 358 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 2c4 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2d4 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 2c4 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2d4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 358 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 2c4 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 2d4 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 358 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 2c4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 2d4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 358 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 2c4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b0 -NGENProcess 3ac -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 39c -NGENProcess 2c4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3ac -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 2c4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3ac -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 2c4 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3ac -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 2c4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d4 -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3cc -NGENProcess 2c4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1364

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:824

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2488
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:804

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
b137da40175460b49f663705a3542c7e

SHA1
2a8737f5625ac1b7f41951b40f63958399cdde85

SHA256
ce5812d84c87ba644bd1f175b41cee4e21a67d5fadd4f0215c91520142ddee24

SHA512
d8853956b442f72a58f5c339a423eb5a2a69cb8e1b097394c6cf20c12c5c243d5953b431a69441c9ed642815ae66b7ed9bd8684f98d97a34b4b91657d06b9238

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
535d1c9952762a050a3110696467b1ae

SHA1
79ae52ee78e7c447919003129f11a35c681dfa49

SHA256
96d5336b2d8d41f79578966eab381aeef309c350543fd75f1f3fb480433cc365

SHA512
cd1da3653d32fb104797ab3d04ec0045873e4b6faf4e9fba1f8b1a0625b923811bd09d21fcea58f9a2802b3fa602997377b68d54b7b946932d48a8d2fe2f8176

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
cbb2b712e7adfe998dd8d2b04e90b5cf

SHA1
20877f890150e44ca72d736379cbdf8eed63a494

SHA256
71769e582359f7a93608428ec65b98eabf9412dc4f93e575f9c4e5f0d67698d9

SHA512
03bbb1b87dad92da8341a2edaf604d0cd5d00cef7c072a365212894ab727fa921f8a89c9630518126c869a966840c93716142a6bc5bc7859e3dfabe731839504

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
159bd37c995dc8727084b83a4111be27

SHA1
55c3bd2bb055932e2cdbca678eea62ba8a952c19

SHA256
3420ff058e72173d0d6c5fbb35d6920e68fae7001b9aca381cbf5a47461ac5ac

SHA512
b165c981ad275af5bfafebcc24b4cd267feeb6b42f18b833196866f6cec73a4288d67b297f7531213266599ec46b112163d3a9039c891c4d434f42116cf24fcc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
62fa53d79fccfc474bb6ad347cc45e80

SHA1
2c84d6361a08ebc1546b6eb6fe20e04527eeaae6

SHA256
dc608a5f396cea5f196b1952957529a0a253724372e99022287df8d653ed11bc

SHA512
3635003e7ead81699c9443b10b5946133b3e9bfadaf27dd5579a8e04aded4469b3f987cf8099ab744f7d980f0d2967fbc8b11e884d1fa4f4e80ff37d22d94b81

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0acf3533404b79f763c016228bf08ab5

SHA1
ba8106bca4121727f3bc1f07f46996369ee9494b

SHA256
8b46764243fe933c51bfc2ef8a278f7fbf691ad99325a11bbac7c3983e423331

SHA512
9f7dcfb8c1a04bf83a8dad668779216857f7dc06f4c8f9d232d6836c8e1a24a822f943a758b2c5803bd5888ad70c13dfaf7645ca28971e75cc490d1bfed23d07

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
7655a71129c86eaa0ed0888804c6c767

SHA1
dc466e30a2185269f8f9cf6bbb503295874e02b7

SHA256
87ab1f1c9b876082959b590e542e3559241c2142493ac88330e30547b22df759

SHA512
52ba427b6748b42092a47b0458de46e9981455ad24abb63b36a6889e09e72f192aa4494030c998875fc0c4026326a3b68289f070b914c350e9e38e8a2cb47b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
75f09638af6ccf034a734cd40268e057

SHA1
6114d83d9214b72ce05d488468995cfbad2c8f1f

SHA256
d498e4c5ab7fc9a0ddbfc0abb49a31b4eb056642b2cb0ca5ef4d4faa3921493f

SHA512
b684e733aefd75ef7522f5e65ad3d5460d44fc462d4562b53b7d0c76def17114fcafd34041f3dd076becb6159a84783534fa046361108c38580535a99530e785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
07cb804814b3ac80ef737feab5af5fff

SHA1
89d7801651f1323b177136190b2269c9bdc35c96

SHA256
47cd222d657786e610b798e5c4b53cf96af5e4c8402e74c70be83c612000d339

SHA512
94b74ace193f72926fd2c4fb51d1a41464cf72fc8dfeff65ebf488b4c126369a98f7a77ec98cb56b903d1dde7196734e67d80074972f4ab5bb38a5919ec434db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4751aa1d43dc51e67f68c557cfbc7531

SHA1
9e4ed6ecb652f45e9c3beb8ae88240a5331cc22a

SHA256
e226575788dc91c200c732f26d5849ffffd768fa6f8c8010377bf94779b49275

SHA512
eed8e0707b4f1c8dfc6e0b79184dd0175b463255b746f2da12779bfbf2b19f61869e24627a2b5d37fb63c318809898e77b95a1a6cd05e718986e2eb0e9f480f4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
0b29c2bd8b0603b3aef6899de5bc9f0e

SHA1
4aba31ce6c8e7d1b9dc8d100a024cf299afdfdf4

SHA256
5ba8b098473c0cd7ea16efe7dc1495582b0f23abbeeac03504e366a12adee130

SHA512
9106b42a98209e06291c13d22baea3f398787ba04df6fd2aff6cc459390b84446fc5d54ba9822c990389405b251994ae5276fba5cc7a9fc6ecd3e8782c541d1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
26a32bf0fb87ddfabc3c8c160377314e

SHA1
8f89a6e32c6c81f27db707ef9c28cd5071455a35

SHA256
1dc5127b7d12fbaa98956f6239e5cb0edcd17f718fd27bc959934cdc60ed4be8

SHA512
b501bf5534228dbd140629468e8e1ac92cb05b82869929fd73fe6a2b6b56353357d225665cb9792096de148291b1eeb82be66ff84b1e2229d241cc9642812258

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
cdf20fb7f6e13a8e378d51aa4b6a685c

SHA1
90e6852454ffbf98c8aebfa9e7844c01d440f572

SHA256
1061dc9a19884b528185ad48902756d365915930e46b160ee600f83fa06d4a4e

SHA512
90d660ec80a8c68af2dc8f0d6d496df7beb9e63dec3e80e22fecdbb9f40d0f4009cf8f96c022c8229597900ca219dd928dd90bd7bd14e871c0043ad55403fe69

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
1f5c2538bbac8b4fa92a6a11ddb9e898

SHA1
0d7b918d134bff23255599fc6ae2bb856e25e88c

SHA256
e8f8e4369fb691991c81ff097184827bfa60755f7a57db954125d41d6a1ea2b6

SHA512
361e9f4c610cc39b1a2e273b798731d315da46bbc72378c9d9888c0c27f24e1f70752bca4d68f020dcbe44d5f8e639fb55d9e12a08adf374ad72f2e7ab31f0d2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
dc462b94bf1e956656db1d4819fa9aa4

SHA1
2757a026469fd1bc88fe9fb8e4212df8decaf8eb

SHA256
2a7e2e5d0826ce57bca1aff220789de0aeb1587aa97c6c98c292e55ecb16ec01

SHA512
b88175f9338bf7a5705e2e8cb51c1a9c85fe24458abdc9b09ff4f2be04580017dfa9da2092176c42da13b2b53437dbca73a028d75b54b9459287a6ac88166d0f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
735f3312114216fa18a68ff2fadfc216

SHA1
b04fa607ec10ee6e8c441a1556d200a0a81e33c3

SHA256
3c1f4dcc1283d00199e67aa2160247a12d529df94dc857771aafe9e9bb0b6af8

SHA512
1a681e52cd6462c74a42337b50c0e998a9e367d90e2aedd9e2a4037e4dd294cb011ea57c1608f94fd1762f99d096eb4fb1435246e63a0fd999c06362bc2a6e9c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
59a8bb733637a8ea749864e590099648

SHA1
2e25ff9bcce73539c8eb488ee68483212e87865e

SHA256
3428e934cefecaaa851792963ac4254101f71efad4121e34e28b6e28d47d2e44

SHA512
4b94e6eab2fc7c1ced7e7fa54d809ab931786f1d0f79e6bdbeff725f89e4680e96661f07f760c9d26cad1c5beaaccc8c6215c4b87f654070d32114a46668299a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f58614bd725f87de772c76429c896c33

SHA1
efabc69da6e378c1b71929e8abd532a22a296178

SHA256
69d466c590385c165efac2ea6be0fb3584b4f90a71b20ae92e91af4a7ad5bebd

SHA512
a184d526ed52f71ddd601eefc583f34133787bebabaeb2c5409baef993b7f4b0939ac5f8c6d05a8f73b2648a2db89b619a74736dfb370f53d420269e688c5983

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
88e997b2f4465704f4930551e287373e

SHA1
a62125d67368b085b16efb39ea4320be440d7488

SHA256
133013ae8928f2b98e3d58ebb4fe0109d46268535f2744cc33623f9dffe558ab

SHA512
d1c7cb0f82dc526223f1271d27ff8a20c4f04e6a0dbef70a5f481315922bc4b2bcbedeac340cd60c8fc5aad553ed0efb3bb6d2aa8615d8605b54710ec1d065fb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
8646425187aac3b271e041240140d1d5

SHA1
0212fb7743abef71ec3d75758ea98a499e05a8c0

SHA256
d58277936295f09339c63445fec708d24196f6885f69d485afc4c7215b9faf87

SHA512
ddc727430f13b915eaf043539ef5b9817289841c5d5469f3f4c5df0eddae565300541bd57495764128cb70af2dcef8605dde01ea626e8d759e86ff55812409e2

Download Submit
C:\Windows\Temp\CabF547.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1CF5.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1e601b0bbbf7bc46e0be396283587e9e\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
59580bf1e301dd5c1cab228fe10f0002

SHA1
738a58b717438b4eef85adb06c5683fa6845b594

SHA256
0c93e7f3361ef353906d6e30947587b3b1d08ae8a9f79cb93b14fe131c8d4a50

SHA512
f07ccb72bdddd928b32d1f137b4f637750efe6372ac68db21e19367d41a6b6a3d99b17c5a4b429658aacc4a035528ddc66ce6ed2e15c793d553fc638bb309a5f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\493bab0610aae669ab6a0cbf325fc475\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
8456d1837ad76e9f741bfad939969eca

SHA1
24695f334cb1dc9a021c9a40043a8d81d463b2bc

SHA256
90c1a0e37a8a8d0d0b2efc10f5798a825b987e29e439a765a2935102cd5d529c

SHA512
8eb0831d599d6963a4b0547510ca89b29e9a41ced453b8de54d2742ed38bec47d52621faf2b5b5c13a3f03c0e77c05c648d259eaf7a394437e49c336c827894e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\679c1c55c4d07c5a30a20b82593bea48\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
3c28633b1cdf5656250f745d2bcb2425

SHA1
d5fc514791afc6d8962522a85b97f0e868e6434f

SHA256
56772bbeceb1739b736acf52cddfa4cc6d9c019de6a1c223c50601bf2c5114d7

SHA512
d3fefa6f39006f27bf9055fd0329c31c4215c06e355e13efdaaa13d514a708be8773e44cf901ee690ec07a14bbe9cc3a447edf08c4bef2b5f84e47ab330d43af

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fd0f9e587d80c2041a6e3970ad7df6d4\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
628161b3ee2d5e8e16949c1ab8ba8c17

SHA1
367839e4e28b828b59babbb628e82ef752775199

SHA256
6bfe7683a1f58477cf131614f5936cfa4be80effcb7342d37b2305e9c85bc91f

SHA512
7f91b2bf2be23a094428cf363d923b23bcdc8af5e796014ae7328d1ef3f0b15f2d1db1ee31c3d8809415e677dffb44ebf1902a09fe924453f815a3f66edcb4ee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
ea8c9c9cf83632cb69d13b3f1830229c

SHA1
d8c42114cfe4e107a52e432641a263a8f456742a

SHA256
3bdcb09ab5a1d53b567ea046c76b62117705c56365dbae73960ee80432c8ea4c

SHA512
b517f6561c33aeaf99d7316ddf429962a577363ce75459c6cdb15bfd7ca098dd1120f0b2e68a4247d28e1e2e5f04becf4c265de064a292fd5ff7e05bf1b121fb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
91dc9345842ecd2cefbb74dbaf1dc813

SHA1
c22ab72e4310d4511d4ee56f692bfb4cc8f90d1a

SHA256
d517370e46ad95175ff6e1e667796c62f4a2e429e88581453f83dcfb4418fb70

SHA512
d8075d24591d1868ecb7ba3f2652870aab726b0afa00099ac224b7308f4d3f032172d843ec03be248ddfb96aafb21bafea257348e66342a2115ae18c8196dede

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
85209734e21a7ab10a9f364ebd812266

SHA1
d4f63bcc23c914673679fd8255b4ed54fd814023

SHA256
ae454bedc2f390ab5ab9a6b1452b3d0e8e1e0e7645686f5e7ca39310cba6f676

SHA512
c91d7ab44f8ab7736246ae08a2cb3141780d8568e77966ed0179ba771ae558248d63bb3c83ad954b7099257045af9d3be5fd3238f60d33dc286334bfe2bea08e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
8f052838148ba1cb8faeeb2f142074a4

SHA1
42d4449e723a492c2d566c2cce718799f9f26d12

SHA256
0526352669a813f9a3320b250f18f660e7f602a3cb22115475730a708364434a

SHA512
981933da580213cdde61049037ad79720d26e7a07f33a306e82d086d358db0db38b2ae5629d17c9d88d54bde523fabb451b646611fe7fc31f51d93be7a96beb9

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
2dfbb722346a000f103ac12a5ff20532

SHA1
3a85476bbaf22d2dc3a9d38db0bd7d13430d1cd9

SHA256
4d01b05a4bad48b96fad83479d75356c0310a4dd5bc2e8dc23d2fa94dde628b0

SHA512
5d882651767ee55d1ff0aba805f98bfb49aa4b17bb1b629820359dab8b82f32a390cea6375c651d747da46600df0c37c85c10db17fd73c330e44d91c49dab57c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
bbce6a304c722254e3f393caf86c2a9f

SHA1
54bd9d0b824ed1ce3f052b88fb791d4eafc56ba5

SHA256
55a0354b54aafe9d8e0da115d92e041ded9373ba44f49cf77d9d517a870142a4

SHA512
349cb3a1beec9eb6152838972e8284f6bca169482137efc0c12740d43f6db250d57326abed20c4e694fd5b56d83b83b44c8e5f9674cad9c93facf41c68adc835

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
6d053bb8c0dd13af38e38a9dcba59dde

SHA1
f5e2b221794145629c7fdd542ca4eed7edc0debf

SHA256
f4924edcc9a1ec3b4872587b6c600795fbf3bb98c97ecd9e56300c8f696492ca

SHA512
b3db3af1fa379e466b71c4d40cc514f462d23418283d5e563ba629763d24381f19258e18ba5361333cfa95a0f74675079690ef167c9864f409ffe929c7d935eb

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
da81a307e08055ce74576ec99339bcb9

SHA1
4be3ec94b84e79ebf4bfa8a0c1a148924943cc4b

SHA256
80b840315f24c198a5e5b342e15e70254f7245d9d79b17d9f167d620b1bb6ff0

SHA512
47375439e638c24c67d07947db45ac0cf25e4f22338fe2db8212c2d7fc75233208258d70e9e36fdd339562062de906b1ac82a821b48eaa8cad84873acd133739

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
4ee6c74cd05fafb9dc60e823bb0539b4

SHA1
2cf84eb771e5592d127858524b86c60c0d477a02

SHA256
fae3fa777258605d18a25bffac93a1a03e567eb21d59cc1b06bba077be84d23b

SHA512
7e34cafe3e3cb4c708c33ef5d04f1a3f6875601f5d24ae0730a604709e34e12a8c956370a22e5320add6ac43a48ee313060fb8509036a8c5d7f0c5e431882b1e

Download Submit
memory/348-93-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/348-0-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/348-7-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/348-8-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/380-255-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/380-145-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/792-1025-0x000000001ADC0000-0x000000001AE08000-memory.dmp

Filesize
288KB

Download
memory/792-1028-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/792-1023-0x000000001AA50000-0x000000001AA5E000-memory.dmp

Filesize
56KB

Download
memory/792-1026-0x000000001AE10000-0x000000001AE26000-memory.dmp

Filesize
88KB

Download
memory/792-1024-0x000000001ADB0000-0x000000001ADBC000-memory.dmp

Filesize
48KB

Download
memory/824-895-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/824-158-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/824-268-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1020-84-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/1020-86-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1020-203-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1020-79-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/1148-393-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1152-642-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1152-632-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1196-696-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1196-674-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1300-699-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1300-693-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1348-530-0x0000000001000000-0x000000000117D000-memory.dmp

Filesize
1.5MB

Download
memory/1348-251-0x0000000001000000-0x000000000117D000-memory.dmp

Filesize
1.5MB

Download
memory/1352-604-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1352-568-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1364-117-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1364-110-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1364-951-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1364-116-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1364-231-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1424-712-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1424-707-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1648-278-0x0000000100000000-0x000000010017D000-memory.dmp

Filesize
1.5MB

Download
memory/1732-216-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1732-370-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1844-102-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1844-100-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1844-94-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1844-215-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1944-295-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1944-652-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2088-796-0x0000000003D00000-0x0000000003DBA000-memory.dmp

Filesize
744KB

Download
memory/2088-178-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2088-196-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2148-706-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2148-350-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/2156-336-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2156-201-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2156-210-0x0000000000650000-0x00000000007E9000-memory.dmp

Filesize
1.6MB

Download
memory/2156-349-0x0000000000650000-0x00000000007E9000-memory.dmp

Filesize
1.6MB

Download
memory/2160-677-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2160-654-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2176-332-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/2176-185-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/2228-882-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2228-122-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2228-248-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2276-288-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2276-168-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2320-333-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2320-671-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2396-749-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2396-735-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2444-290-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2444-631-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2448-597-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2448-627-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2480-264-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2480-563-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2488-731-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2488-377-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2540-746-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2540-761-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2564-372-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2564-721-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2568-77-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2568-62-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2568-56-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2568-55-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-358-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2588-296-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2636-149-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2636-27-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2636-28-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2636-34-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2660-376-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2660-240-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2680-1010-0x000000001ADD0000-0x000000001AE18000-memory.dmp

Filesize
288KB

Download
memory/2680-1009-0x0000000001990000-0x000000000199C000-memory.dmp

Filesize
48KB

Download
memory/2680-1008-0x0000000001980000-0x000000000198E000-memory.dmp

Filesize
56KB

Download
memory/2680-1011-0x000000001AE20000-0x000000001AE36000-memory.dmp

Filesize
88KB

Download
memory/2732-39-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2732-73-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2732-46-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2732-38-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2848-722-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2848-737-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3020-22-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3020-19-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/3020-142-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/3020-13-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3036-773-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3036-759-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3056-572-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3056-534-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download