ac192f71406b17e5fb846e679f49eb1ba57562fac29c4ae598cf2c5421dc27f1

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
Size

2.3MB
MD5

e545f02ea7ca780a48c3315e8ef59c24
SHA1

af772e67cbcd4084886efb32f8b0dd5e3fde9e2c
SHA256

ac192f71406b17e5fb846e679f49eb1ba57562fac29c4ae598cf2c5421dc27f1
SHA512

f643d2751f318b590fc5967ac92c9b296fa8800db0a25906bdf9faca103d12bd14e7df31d431c4337f1877999f30b54ff360e2e221bdf29fe6c59b89e7d43b5d
SSDEEP

49152:tDD0FZs/Yl7dYUMQ+fCi6p6O8IFeII8uxV1XL4HDmg27RnWGj:VD0FZs/U73MQ+fCi6AeeT8uxV1XeD52j

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2412	alg.exe
2908	aspnet_state.exe
2872	mscorsvw.exe
852	mscorsvw.exe
1080	mscorsvw.exe
1404	mscorsvw.exe
1036	ehRecvr.exe
552	ehsched.exe
2428	elevation_service.exe
1368	IEEtwCollector.exe
2384	maintenanceservice.exe
1100	OSE.EXE
2276	mscorsvw.exe
1472	mscorsvw.exe
1456	mscorsvw.exe
812	mscorsvw.exe
2456	mscorsvw.exe
2968	mscorsvw.exe
2760	mscorsvw.exe
2260	mscorsvw.exe
2796	mscorsvw.exe
2552	mscorsvw.exe
608	mscorsvw.exe
2404	mscorsvw.exe
2872	mscorsvw.exe
2564	mscorsvw.exe
2788	mscorsvw.exe
2936	mscorsvw.exe
1176	mscorsvw.exe
1216	mscorsvw.exe
616	mscorsvw.exe
2064	mscorsvw.exe
2180	mscorsvw.exe
864	mscorsvw.exe
2144	mscorsvw.exe
848	mscorsvw.exe
1932	mscorsvw.exe
904	GROOVE.EXE
1776	mscorsvw.exe
2392	mscorsvw.exe
1880	mscorsvw.exe
2100	mscorsvw.exe
2640	mscorsvw.exe
2304	mscorsvw.exe
1064	mscorsvw.exe
2788	mscorsvw.exe
2980	mscorsvw.exe
2972	mscorsvw.exe
2588	mscorsvw.exe
2280	mscorsvw.exe
776	mscorsvw.exe
2196	mscorsvw.exe
2004	mscorsvw.exe
2120	mscorsvw.exe
2184	mscorsvw.exe
2632	mscorsvw.exe
2776	mscorsvw.exe
1568	mscorsvw.exe
3000	mscorsvw.exe
2904	mscorsvw.exe
2752	mscorsvw.exe
1448	mscorsvw.exe
2308	mscorsvw.exe

Loads dropped DLL 45 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2640	mscorsvw.exe
2640	mscorsvw.exe
1064	mscorsvw.exe
1064	mscorsvw.exe
2980	mscorsvw.exe
2980	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
776	mscorsvw.exe
776	mscorsvw.exe
2004	mscorsvw.exe
2004	mscorsvw.exe
2184	mscorsvw.exe
2184	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
2752	mscorsvw.exe
2752	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
2600	mscorsvw.exe
2600	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
2484	mscorsvw.exe
2484	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
1932	mscorsvw.exe
1932	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a9f133ad264f17b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD807.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD16.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP88B0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8B5E.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2572	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: 33	1704	EhTray.exe
Token: SeIncBasePriorityPrivilege	1704	EhTray.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeDebugPrivilege	2572	ehRec.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: 33	1704	EhTray.exe
Token: SeIncBasePriorityPrivilege	1704	EhTray.exe
Token: SeDebugPrivilege	2412	alg.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeDebugPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe
Token: SeShutdownPrivilege	1080	mscorsvw.exe
Token: SeShutdownPrivilege	1404	mscorsvw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
1704	EhTray.exe
1704	EhTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
1704	EhTray.exe
1704	EhTray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
1900	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2276	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 2276	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 2276	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 2276	1080	mscorsvw.exe	44
PID 1080 wrote to memory of 1472	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1472	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1472	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1472	1080	mscorsvw.exe	45
PID 1080 wrote to memory of 1456	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 1456	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 1456	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 1456	1080	mscorsvw.exe	46
PID 1080 wrote to memory of 812	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 812	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 812	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 812	1080	mscorsvw.exe	47
PID 1080 wrote to memory of 2456	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2456	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2456	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2456	1080	mscorsvw.exe	48
PID 1080 wrote to memory of 2968	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2968	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2968	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2968	1080	mscorsvw.exe	49
PID 1080 wrote to memory of 2760	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2760	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2760	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2760	1080	mscorsvw.exe	50
PID 1080 wrote to memory of 2260	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2260	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2260	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2260	1080	mscorsvw.exe	51
PID 1080 wrote to memory of 2796	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2796	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2796	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2796	1080	mscorsvw.exe	52
PID 1080 wrote to memory of 2552	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2552	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2552	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 2552	1080	mscorsvw.exe	53
PID 1080 wrote to memory of 608	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 608	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 608	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 608	1080	mscorsvw.exe	54
PID 1080 wrote to memory of 2404	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 2404	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 2404	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 2404	1080	mscorsvw.exe	55
PID 1080 wrote to memory of 2872	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2872	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2872	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2872	1080	mscorsvw.exe	56
PID 1080 wrote to memory of 2564	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2564	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2564	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2564	1080	mscorsvw.exe	57
PID 1080 wrote to memory of 2788	1080	mscorsvw.exe	58
PID 1080 wrote to memory of 2788	1080	mscorsvw.exe	58
PID 1080 wrote to memory of 2788	1080	mscorsvw.exe	58
PID 1080 wrote to memory of 2788	1080	mscorsvw.exe	58
PID 1080 wrote to memory of 2936	1080	mscorsvw.exe	59
PID 1080 wrote to memory of 2936	1080	mscorsvw.exe	59
PID 1080 wrote to memory of 2936	1080	mscorsvw.exe	59
PID 1080 wrote to memory of 2936	1080	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 240 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 294 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 240 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 290 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 244 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 290 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 224 -NGENProcess 1d0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2cc -NGENProcess 24c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c0 -NGENProcess 224 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d4 -NGENProcess 224 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 2b8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b8 -NGENProcess 2c0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c0 -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b8 -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 224 -NGENProcess 300 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 300 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 308 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 300 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 300 -NGENProcess 2fc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 2b8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2b8 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d4 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 318 -NGENProcess 314 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 324 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 2d4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 314 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 314 -NGENProcess 32c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 32c -NGENProcess 30c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 33c -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2e8 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 338 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 348 -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 2e8 -NGENProcess 338 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 354 -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 30c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 35c -NGENProcess 338 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 338 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 360 -NGENProcess 370 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 370 -NGENProcess 358 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 368 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 354 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 370 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 360 -NGENProcess 354 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 360 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 34c -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 38c -NGENProcess 37c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 34c -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 358 -NGENProcess 370 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3a0 -NGENProcess 390 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 354 -NGENProcess 358 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3ac -NGENProcess 394 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 390 -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 34c -NGENProcess 3b0 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 398 -NGENProcess 394 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 360 -NGENProcess 118 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 394 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 118 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c0 -NGENProcess 3bc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 34c -NGENProcess 118 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3c4 -NGENProcess 3d0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 360 -NGENProcess 118 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 360 -NGENProcess 3d4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3c8 -NGENProcess 118 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3dc -NGENProcess 3c4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 360 -NGENProcess 3e4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3b8 -NGENProcess 3c4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3e8 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3e0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3bc -NGENProcess 3ec -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3f4 -NGENProcess 3b8 -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3b8 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3e4 -NGENProcess 404 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 404 -NGENProcess 3c4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3f8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f8 -NGENProcess 3e4 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3bc -NGENProcess 414 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3fc -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 410 -NGENProcess 41c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3b8 -NGENProcess 3e4 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 420 -NGENProcess 3fc -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3e4 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3fc -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 41c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 288 -NGENProcess 3e4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 3e4 -NGENProcess 428 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 22c -NGENProcess 274 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 414 -NGENProcess 430 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 1ec -NGENProcess 3e4 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 420 -NGENProcess 41c -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1036

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2384

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
50773c644d48897c143c6d0c178c5f7e

SHA1
3dff3aa39ac9220152227068092dee4032f01083

SHA256
7a1a99184b146c61839384f13d278742468d2f14c13bc987fa5a6b30bb6ce520

SHA512
fe6425c003a5feba5221ea1800abf0ea68feb8d3dab00babe967333fd0823d00dfa982dab1a6e5e4b899c6d4ec165512594b0f7eee1e5393fc8bde40a99024e6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
b567c5abb0f83b0d43c311a05057d919

SHA1
e78ce0d17bb0f7b52d06589637f0b8c748f0d243

SHA256
9c8f7ba9f40ee6277cd0971f790a5b93017d0c723f7e1c2a18fe646d25399960

SHA512
b3564f55562d53f577881037427efc936c492487efcb2e65de0922cea62369d2a4affa10656b6434f0cfe6f885df460296bbd3cc4791cc7e70c30e7e02d3e74c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
afc860ebe9c289d2484161366d411876

SHA1
61bf61bff05d0ebfef926ef45d16525ddefa76e3

SHA256
d57180fbfecc9f291388e94053d66dd37455df94bbd29a84d36ecfd37817cfd4

SHA512
bf14b3ef79afd57a3bca83b6b957ec8132d490eebab1fc0ec797471c35c84d10f71f711c5800a4d19afc69d4009f494af9cd2df17b6f0b37a329b2e24af1f489

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
3555efbfa0ac03314ff7e4c2259b8681

SHA1
1159e2237523ba7cccc996680ea574db3555e1ec

SHA256
ad1adec971fac93e26dfbbdb7a0536abca51f1dc79db9c99a955d08dcc6092e2

SHA512
d6306d5a8f50f9f0b32ae94038b2eb26e7f824e2c357519f2d3ca160d19406d81ff1abf40a8eb93136e63ce2c52c204bd31743d1edd7369dce7d848a0cb94230

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
f9f1da5c21dbc6b1317aa2dfc4cd04b4

SHA1
504f95133db8f5bd9b6c110d0ac233a09f6567a9

SHA256
604b6537f16b6ad2b08dbb009789ff1cbaff4d9783677abc3f42ef3c6ddcefac

SHA512
3afe18706052b7e592e5ec457a39a494db44804ce85392d517233e0f5e66e7086254b212a742e73b9aca7c5a7dfb3c9b96240dc58d16374c7dbecf58c2ae1cb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
aefd12fe66abff389928deba2672f664

SHA1
81706f7c2a3383a3ff2c5822d50d37e269c9a485

SHA256
77834300fb2152bad21eed3e901de4e2d0bb18068171b5afde574fca4d28d2b5

SHA512
56778d1b03906e3b204891fde6afc89cb0241c4191e12aa40aa9bf2328683b620a4dfaf2f251434f9fc413514202959a017d371ca4f5317dc599c8f0c51ceefa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.6MB

MD5
ee168f2d4e418eadc91c1cd0bb312837

SHA1
d05bee8f3b903e3b8e5219b1ab96fc16d08320d3

SHA256
7fd0d26ea2ef2b09e1409b7b58fc724a5f104b4cccaa396c437594aec3eaf2ed

SHA512
31ba0adb3c60732942234ad49070a6165da13273e5234211b29c5aecd75d9c7bc0b8baf06a876cf5f91fca381cb05d9b7cc605ad26017f4a23890a43161174e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
da6c18a1e9b181a3e63ee15b64062e60

SHA1
c8efd58c43e83ce2db7ad0a3c138b7af9901586e

SHA256
6c7e355c26e473de4e0202043e6c4f106e2aec2913bdc213651f841e67e3d04e

SHA512
a6a9fe407f9bd52d5897d31cfc0f8db37c4976e252949070c698162a79d796e3b73045fe32e3c5e482538fc95b1222d2d1aceda1190609e8cc5587529b7b2e64

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
7b1d916dc8efa0d9934d1bf56f56e1fa

SHA1
3398e2b6350e93266eca6f8e13018a567b4c8947

SHA256
1a872267060d7f3448d803dc4ccf8c023ac5a4df8f5fe7c90d387912c76ec09a

SHA512
8a8a755612a877331aad061608840140dc3a39e7fb146bceac5a4388ee9300aed73a0118b7cc8ad8f6e14b2ebf7839fd9351794eb7842a316e5f0216ac7568f3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
247b0fafe8e6936232e964baceae8b5a

SHA1
42a8b435503acd2c97857d9da6720fc84f15dfe9

SHA256
20b5ef3af2eed98db9f594415a8a01c5d4ebf7d60bd1969befc5afe8081f5d8a

SHA512
67971a210ea096de3945f2e7be917b3a390f3c3aca064073df3c339295219149f4c518b1005f6aebd91492eb9672d2a404bd5b1d5acfc1caf17d80f9ff09c283

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8487a3fa65dcb40d84aad8c9ee5148d9

SHA1
8971c3dda7ff7e11833da100793cac347663036e

SHA256
7e7425a3f2e734719183136a6bc4695ffeaef44a86b6c1350361e44fe6cacd97

SHA512
7136ab6ec45f72fcc559c86087110725f41f724ea30878e083e6573363a8b489ae86c50103ea27938f9f76305ee07229609d6070d760f596dd2a094d6bec8ae2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
a80d16fe6d343613257147f034426f43

SHA1
043d3c732dd1ef31f4efccaf692b72bf33b380be

SHA256
de67af9a7d44e2d45102db8fff56c8db0f367709a43840d03cdc29dfece8991f

SHA512
3216d8a8883ab2b90c4c8af7bc98cd91f405982fd9351073c74ef1e783f839ebc679eccc31a1721f4d12f8ee95986159d769238e1fdcd42f225ce0e3b9955829

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
31f3253c0ee1e93d289d2579113bcd28

SHA1
14f18a58cd0648641fa0b0e43749dca3746fbde8

SHA256
a927ac35b3f3ed0a5b17e44049b178c43dfee8f625cbfe13c1e9ac2b790529e2

SHA512
16b86088a630c200b94653f3299ca894a45adf9f7fc8ab9bcb0078de690f1b9a9192cac2e9348852c343c3cc547e515cb84fff6714561fd70465746cbafab357

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8e6c7a79e166fd94c9660cf3df761e7f

SHA1
a215b6b7950bfa795978a66d86dc2032ee7861c5

SHA256
1fd1e106701c13b3085d87911d082c12528ae9e23c46e88251bd8483ccb49592

SHA512
2e8462404d41469355caf78eb8d4fe4b01a613b72174b6e7dc4ec2372bb04820fbf999367bf745a4a6419711d6854f945f9c0d3689468a6f1a624f70bd435fe3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2359c42b315185e92d0dfadb89a00ea8

SHA1
bf392107a90ed917931cc0466992a773f587fd2a

SHA256
8d9c31dc03c0742a5f54e91bdc5f2a4ec3f5467b334b3c39e2d39b9b1fdb1c30

SHA512
53fddc39ec96f6757826bdd969b3f30d0fb420ae02807daa5e1e591e302f2af2f3d60302f0a38b3f650bb7931283677271368b0170c22f948539175bceccb751

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
8e2a0509744a7377fb722016f87a824a

SHA1
8a910445a47da7b39b46bdbcc1ce835ebf7c292a

SHA256
7a6a5f1944e8df25f9ab19539116282633acd8d42e2ab08e08578d44ccb4ea86

SHA512
7f29dc88922547d1b53f48d4267d8ab962da2ff034d371e47e0fa55226ea11e1e9e5fe2d13ea661de99f08cd461ec89b6d79bc2d6a43c917d3322ef48b00e13b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b16bf3469a8ad19c898272a299d1e007

SHA1
c7e4612c361408385963ef5d13f7aa2913b6a8d5

SHA256
4160f922735826d9b9cec879f48e812c53bc2878478dcea3817a2187ae233823

SHA512
2c7008f185b6114106a8642919d4ea3e6d31c304ae9cf29ba3a5c260e546f579dec0519aabdcf4ec668eeb410dc70063a775b993f06ed20853d2ee86f0c30f71

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e99a1c7f7329fd8a609172c574af4025

SHA1
3740c3efdb9e1387a9ce05c105b1d2a380a578fe

SHA256
4b0c5a494f88c0ee30e59fbef338e2c1a5114f6a4814567cc43ce03ca0a2f767

SHA512
0d4089fcd3967e4ead61fdecd0417165c03a646d1ea0ba26728fd411372f38c4a26c19715b097465d7850ebb8b8d3d1d7f47b4eba3b787f3e391d183ef853fce

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.1MB

MD5
7ee3db74c9d75c6ed9e50ce567f5cc11

SHA1
7f84f8f67711873e44e0d398a574b4e822d2cb67

SHA256
8f5dc22a567fe0741536f40c615bed6ea0b98f208dd7937859d22425d06e62c1

SHA512
1017e9ffbd5d80030c8da1c51a70360ffce724f960912120f784c62513e02f4688467570e3dc43442c05d02ba4986aaf210ead1eb3ccf25e8c937abfd0b21e42

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9e766eda3d129b6dc05482640b022f79

SHA1
e91b98a6a3b0859838f0a88760800c21611ae824

SHA256
28f3643b942595335c1f99c5de261a3b702e8f0e5e2b3698575610a8d7614d96

SHA512
eab063c587ee7247be9c4c84442814f847158c67bde3addf8b59f7e9bc7c1bb18095dae7075aa383bcb1c2c8f6b54f2c3237e5d172e5f8c95e405fc7e707bac8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
731899edcaecb41b5f87dc55e81c60a2

SHA1
782893661986dbc2eacbf1b448bce3de52198899

SHA256
581385f6fae63e2f425e484f9920d7e6d64a099dbe6d4e5349db9a29543aef8f

SHA512
b7092da318c35927194ef39a166d809a6f4a497a12a0154fe00276501ff0e0243a6520fe723b21b0a3664dfcd6bc4fee4868e2d88537f327ae2153661e05888e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7c27fb0b62687ff77416c1ef3da7a16a

SHA1
0214c1bd8830532be429fbb3792547f24e06aa9d

SHA256
f9ab44383ccffa0ef1afaad6d46b08ed40e162178b5eb8dd170b70d3aee7beb0

SHA512
a80e1008d8f9afe67936e369009433ebb3c40ee0b7de3134e93b2d2b3070fb1046ae0cb54e42bfbf3fd8938754d9cd9523873aac5f1561eeae40b4bf0b99b4f9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
9d7b2874a1c921394e60ad381b690b6f

SHA1
9dd37d045405b99dc21072b676d3a9b99be078fe

SHA256
b24c4897ff6fe9b1a593a911c6af41b0a7d56d875af5523c59e5ee0644716060

SHA512
e863f5357818a7efec7a1d13853b774fc48f82f86d3bf7e65e773892ba7692841b1481e49435738c15531032791dfcab5a28e58c452705ed532298897ad313d6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8734f5772d4009f1a56736eb1077728d\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
4d81c7f2ca9f6876a756544de01555d9

SHA1
6c9d9ea4a3b307c7bec28258fc070ed5958cf1fc

SHA256
9bcf7ed6269badb9a1a271f96df57c398cb33dd63051f93bf908e4925bca447f

SHA512
03f50dfc29dfe5ed79fb9ea0af31300fa6681a58b87bb224e6672a41dee913a8695e53c64cbebdb9a67ba829fb0713c37b9607d20bbf8686a2b140a9563bf7cc

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8e93e346d3b10b1be59c5999a90c8f3a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
2e9e8bcfcf667cbe4051145821374683

SHA1
f1fc92fdde1c3017fdd5fe7dde0651b916e75064

SHA256
b4b6c507035772167b80fba788de60fe52b29fe599a8a140b1f5c8d272a053b8

SHA512
ef04a64fce2ff42195fc854c6cffa2db9e0f5fd2ffcc35ab375cac6abe3810a6625015d9b0d0c16b8feeff81615b6dcc3c35e63fb4cc117c0e25c21f43a17463

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ff9d6ec96e66312319ef202f7a9fe7e7\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
a101b787e09e3218936b25a7a0dc6bef

SHA1
6b6258e47d1ed3c337ad308b0686e4da7a760ed9

SHA256
cb5b2b16c06fd711b5e6020e98d211c224c1e083424b9d946ef46243813d639c

SHA512
19ff6c808fb51bbc4c71f633b43497c537e25f398a5739f37714bc6a462bfa801f0cc4bde25c21f0b737663734cb64a96db2fd1bb517d8c6d84f26bbb44ee13a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d17948d0f1add9ad13ea74859dfeca34

SHA1
205de583d32d64c5ab595acc0b3e0687a3c51b66

SHA256
969c745e828352a57c2c4b68bdca1565d7ad670765cd902632815e85e8f413e5

SHA512
021ea0ca388e306c7c22f0924b612430718e3a315528905bd494105e04015ae4af5baf2f261a55cc30de69155a094d396c13e2625acbd8712911159551f91e85

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.2MB

MD5
77f380cb9ccc09ab3079bd84362a3ffb

SHA1
7212c19e9fdb296c13c77311d4329db2a15afc6b

SHA256
9f7f50b691bdb7473ba12dc65d2d684fc6deb3b0fa5093486e37db41bc92c27e

SHA512
45c8adbf4a7c9cbaed93937d4b70dea64adbc84cb48be92b7d18685ae20fe3f397404b9fa4a0ea157823e413ec1fa889626cce04f34d65880176c2c200f8abf2

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
9ff36e1065bf1257e1d5749629eb3673

SHA1
6bc9c1ad4a4077331600099eeee9aa3ea30c7200

SHA256
c600ea9371a3f96b983de065f743db4d146f96aea2d73f8f8a439253611a577d

SHA512
cf949eaa90fbce1585887ade3ffd5834d311ce25e11be9661495dbc9fb26d6660f1f00c84db41ad1721dc3a0d9b732214f5b932146f67fe3ed5a4b30f8934bbb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
6769de67bebb5e53c0a4c6d6ab9cec36

SHA1
958d26d546f891324cfe9ec9c240f24ff4cf41a3

SHA256
c50a452c7319af99f11be441004053de78a3d1ec5b8ac2b86adfdae4912768c5

SHA512
ca8c04c6c042015172a1beac30e02294ece4e338c5b802479231a51dd8ecffa6d8fa5d95cd170bd166ffe392171d67f8b5c26452af6ad899f6886145567ac476

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
0cd7103913a16bd6f1b37d153a995ad8

SHA1
a1946c894a341e254a9f56fdd1196efa8c7fb669

SHA256
b669ee3a600c4a0ac7e835811a72f2c18dff1ee0b232d063c89160ecd2ada7e1

SHA512
f3c487e70c56b90fd90f92e26620ee09c5666338b4c9d469c7e8caa6edb4a3a3da6f01cab705668d7566c80d4d82366c2e53dfa159b5c71be402144326735f44

Download Submit
memory/552-107-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/552-113-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/552-649-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/552-380-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/608-472-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/608-484-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/616-569-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/616-581-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/812-388-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/812-381-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/848-630-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/848-643-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/852-58-0x0000000010000000-0x000000001012D000-memory.dmp

Filesize
1.2MB

Download
memory/852-46-0x0000000010000000-0x000000001012D000-memory.dmp

Filesize
1.2MB

Download
memory/864-607-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/904-683-0x000000002E000000-0x000000002FEAB000-memory.dmp

Filesize
30.7MB

Download
memory/1036-92-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1036-104-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1036-98-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1036-103-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1036-91-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1036-369-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1036-657-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1080-687-0x0000000001C90000-0x0000000001CAE000-memory.dmp

Filesize
120KB

Download
memory/1080-690-0x0000000001C90000-0x0000000001D34000-memory.dmp

Filesize
656KB

Download
memory/1080-66-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1080-60-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1080-691-0x0000000001F20000-0x00000000020BE000-memory.dmp

Filesize
1.6MB

Download
memory/1080-686-0x0000000001C90000-0x0000000001C9A000-memory.dmp

Filesize
40KB

Download
memory/1080-314-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1080-688-0x0000000001C90000-0x0000000001CAA000-memory.dmp

Filesize
104KB

Download
memory/1080-689-0x0000000001C90000-0x0000000001D1C000-memory.dmp

Filesize
560KB

Download
memory/1080-693-0x0000000001C90000-0x0000000001CA0000-memory.dmp

Filesize
64KB

Download
memory/1080-692-0x0000000001C90000-0x0000000001D7C000-memory.dmp

Filesize
944KB

Download
memory/1080-698-0x0000000001C90000-0x0000000001CF6000-memory.dmp

Filesize
408KB

Download
memory/1080-697-0x0000000001C90000-0x0000000001CBA000-memory.dmp

Filesize
168KB

Download
memory/1080-696-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1080-695-0x0000000001C90000-0x0000000001CB4000-memory.dmp

Filesize
144KB

Download
memory/1080-694-0x0000000001C90000-0x0000000001D18000-memory.dmp

Filesize
544KB

Download
memory/1100-432-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/1100-159-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/1176-556-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1216-557-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1216-561-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1368-652-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1368-406-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1368-138-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1404-80-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1404-74-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/1404-86-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1456-384-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1456-342-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1472-345-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1472-315-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1776-717-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1776-706-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1900-143-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1900-8-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1900-7-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1900-82-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/1900-0-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1932-638-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1932-646-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2064-578-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2064-585-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2144-618-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2144-615-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2180-603-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2260-446-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2260-433-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2276-257-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2276-319-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2384-169-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2384-152-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2392-716-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2392-720-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2404-481-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2404-494-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2412-21-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2412-105-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2412-22-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2412-13-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2428-126-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2428-124-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2428-394-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2428-118-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2456-397-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2456-410-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2552-456-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2552-463-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2564-508-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2564-519-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2760-422-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2760-435-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2788-522-0x0000000003E40000-0x0000000003EFA000-memory.dmp

Filesize
744KB

Download
memory/2788-525-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2796-447-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2796-460-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2872-487-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2872-55-0x0000000010000000-0x0000000010125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-36-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2872-31-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2872-30-0x0000000010000000-0x0000000010125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-500-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2908-154-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2908-27-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2936-545-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2936-534-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2968-407-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2968-419-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download