9eaade0c6d829a6e2703d68eb843b14189909b78e17a5e2c560e599489f4605d

Analysis

max time kernel
100s
max time network
158s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Size

1.8MB
MD5

411f91542c9e4be6ac58e39cb6ee6c56
SHA1

896a0a8da0a0356dc575a61a28c9e76d270a1d82
SHA256

9eaade0c6d829a6e2703d68eb843b14189909b78e17a5e2c560e599489f4605d
SHA512

b5c75b879f8f3bc409c84f44cdfada33e00644d9bf1f03bd2148157fa8fa3ce1e9c9b30ebc8a87039e82471b31486523c31868eae78b8b6def405a1f02b957ef
SSDEEP

49152:/E19+ApwXk1QE1RzsEQPaxHNy0vo05s0eusONlP:Q93wXmoK6eD5s0JXP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exemscorsvw.exeWmiApSrv.exewmpnetwk.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
2124	alg.exe
2752	aspnet_state.exe
2732	mscorsvw.exe
2996	mscorsvw.exe
2664	mscorsvw.exe
1572	mscorsvw.exe
316	ehRecvr.exe
584	ehsched.exe
1092	elevation_service.exe
1736	IEEtwCollector.exe
1152	GROOVE.EXE
948	maintenanceservice.exe
2240	msdtc.exe
1688	msiexec.exe
2784	OSE.EXE
2360	OSPPSVC.EXE
2648	perfhost.exe
2720	locator.exe
2580	snmptrap.exe
2440	vds.exe
2876	vssvc.exe
2808	wbengine.exe
2996	mscorsvw.exe
2772	WmiApSrv.exe
3016	wmpnetwk.exe
1524	mscorsvw.exe
2432	SearchIndexer.exe
1632	mscorsvw.exe
2592	mscorsvw.exe
872	mscorsvw.exe
1672	mscorsvw.exe
2356	mscorsvw.exe
2764	mscorsvw.exe
1884	mscorsvw.exe
2620	mscorsvw.exe
1524	mscorsvw.exe
2032	mscorsvw.exe
2592	mscorsvw.exe
2888	mscorsvw.exe
1884	mscorsvw.exe
1624	mscorsvw.exe
1524	mscorsvw.exe
856	mscorsvw.exe
2040	mscorsvw.exe
376	mscorsvw.exe
2996	mscorsvw.exe
2344	mscorsvw.exe
328	mscorsvw.exe
2688	mscorsvw.exe
2604	mscorsvw.exe
1580	dllhost.exe
1944	mscorsvw.exe
2104	mscorsvw.exe
2452	mscorsvw.exe
2776	mscorsvw.exe
1740	mscorsvw.exe
1644	mscorsvw.exe
2056	mscorsvw.exe
3004	mscorsvw.exe
2236	mscorsvw.exe
2556	mscorsvw.exe
2888	mscorsvw.exe
2308	mscorsvw.exe

Loads dropped DLL 27 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
476
476
476
476
476
476
1688	msiexec.exe
476
476
476
476
476
744
476
1740	mscorsvw.exe
1740	mscorsvw.exe
2056	mscorsvw.exe
2056	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
2888	mscorsvw.exe
2888	mscorsvw.exe
1072	mscorsvw.exe
1072	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

msdtc.exe2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exeaspnet_state.exeGROOVE.EXESearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df626b3bad1aea39.bin	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

Processes:

maintenanceservice.exeaspnet_state.exe2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5629EE71-1934-428C-A492-DBD2787497EC}\chrome_installer.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemscorsvw.exeaspnet_state.exedllhost.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{22985AAB-EDBE-4FDB-97BA-AE2D621FD8DD}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBDD3.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{22985AAB-EDBE-4FDB-97BA-AE2D621FD8DD}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBC2E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB5D7.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBA3B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ehRec.exewmpnetwk.exeSearchProtocolHost.exeehRecvr.exeOSPPSVC.EXESearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5EA081D0-FA21-47E5-8110-9CC82C84DAE0}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b06ec90b1daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0d7100c1daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ehRec.exe2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exeaspnet_state.exe

pid	process
2220	ehRec.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe
2752	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exeaspnet_state.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: 33	3028	EhTray.exe
Token: SeIncBasePriorityPrivilege	3028	EhTray.exe
Token: SeDebugPrivilege	2220	ehRec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeSecurityPrivilege	1688	msiexec.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: 33	3028	EhTray.exe
Token: SeIncBasePriorityPrivilege	3028	EhTray.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeBackupPrivilege	2808	wbengine.exe
Token: SeRestorePrivilege	2808	wbengine.exe
Token: SeSecurityPrivilege	2808	wbengine.exe
Token: 33	3016	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3016	wmpnetwk.exe
Token: SeManageVolumePrivilege	2432	SearchIndexer.exe
Token: 33	2432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2432	SearchIndexer.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeDebugPrivilege	2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2376	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeDebugPrivilege	2752	aspnet_state.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	2664	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

3028 EhTray.exe
3028 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

3028 EhTray.exe
3028 EhTray.exe

pid	process
3028	EhTray.exe
3028	EhTray.exe

pid	process
3028	EhTray.exe
3028	EhTray.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

SearchProtocolHost.exe

pid	process
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe
2592	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 2664 wrote to memory of 2996	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2996	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2996	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2996	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1632	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1632	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1632	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1632	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 872	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1672	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1672	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1672	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1672	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2356	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2356	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2356	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2356	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2764	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2764	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2764	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2764	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2620	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2620	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2620	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2620	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1524	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2032	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2032	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2032	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2032	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2592	2664	mscorsvw.exe	SearchProtocolHost.exe
PID 2664 wrote to memory of 2888	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2888	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2888	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 2888	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1884	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1624	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1624	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1624	2664	mscorsvw.exe	mscorsvw.exe
PID 2664 wrote to memory of 1624	2664	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 250 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 1f4 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 1f4 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 1dc -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 248 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1dc -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1f4 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1d8 -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 1dc -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f4 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f4 -NGENProcess 28c -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f4 -NGENProcess 250 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f4 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2a0 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a0 -NGENProcess 1f4 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1fc -NGENProcess 290 -Pipe 214 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 254 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 254 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ec -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1c8 -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 28c -NGENProcess 24c -Pipe 218 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 270 -Pipe 1fc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 24c -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 24c -NGENProcess 280 -Pipe 1f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 298 -NGENProcess 1c8 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1c8 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 280 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
2⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b0 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
2⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 2b4 -Pipe 284 -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 244 -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 244 -NGENProcess 298 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 238 -Comment "NGen Worker Process"
2⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ac -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 27c -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 27c -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2d4 -NGENProcess 2b8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b8 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2dc -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 298 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 27c -Comment "NGen Worker Process"
2⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f4 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f4 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f4 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f4 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f4 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 310 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 380 -NGENProcess 30c -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 310 -NGENProcess 30c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f4 -NGENProcess 38c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 394 -NGENProcess 378 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 30c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 38c -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 38c -NGENProcess 394 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a4 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 30c -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 394 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 394 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 394 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 394 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 39c -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3bc -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 394 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 39c -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3bc -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d0 -NGENProcess 3e8 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f0 -NGENProcess 39c -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3bc -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3e8 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 39c -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3bc -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3e8 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 39c -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 39c -NGENProcess 404 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 414 -NGENProcess 3e8 -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3e8 -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 41c -NGENProcess 404 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3f4 -NGENProcess 418 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 420 -NGENProcess 3fc -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 404 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 418 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 418 -NGENProcess 420 -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 430 -NGENProcess 404 -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 404 -NGENProcess 428 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 438 -NGENProcess 420 -Pipe 424 -Comment "NGen Worker Process"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 434 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 428 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 428 -NGENProcess 438 -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 448 -NGENProcess 434 -Pipe 430 -Comment "NGen Worker Process"
2⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 434 -NGENProcess 440 -Pipe 444 -Comment "NGen Worker Process"
2⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 450 -NGENProcess 438 -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 44c -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 44c -NGENProcess 434 -Pipe 440 -Comment "NGen Worker Process"
2⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 478 -NGENProcess 460 -Pipe 46c -Comment "NGen Worker Process"
2⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4ac -NGENProcess 4a8 -Pipe 498 -Comment "NGen Worker Process"
2⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4c0 -NGENProcess 4b0 -Pipe 4bc -Comment "NGen Worker Process"
2⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4b0 -NGENProcess 49c -Pipe 4c8 -Comment "NGen Worker Process"
2⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 4c4 -Pipe 494 -Comment "NGen Worker Process"
2⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4cc -NGENProcess 4ac -Pipe 4b8 -Comment "NGen Worker Process"
2⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4b4 -NGENProcess 4d4 -Pipe 4b0 -Comment "NGen Worker Process"
2⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4a4 -NGENProcess 4ac -Pipe 4a0 -Comment "NGen Worker Process"
2⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4c0 -NGENProcess 4d0 -Pipe 4dc -Comment "NGen Worker Process"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4a8 -NGENProcess 4d8 -Pipe 49c -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4e0 -NGENProcess 4ac -Pipe 4c4 -Comment "NGen Worker Process"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4ac -NGENProcess 4c0 -Pipe 4d0 -Comment "NGen Worker Process"
2⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4e8 -NGENProcess 4d8 -Pipe 4b4 -Comment "NGen Worker Process"
2⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4e4 -Pipe 4a4 -Comment "NGen Worker Process"
2⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4e4 -NGENProcess 4ac -Pipe 4c0 -Comment "NGen Worker Process"
2⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4f4 -NGENProcess 4d8 -Pipe 4cc -Comment "NGen Worker Process"
2⤵
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 4f0 -Pipe 4e0 -Comment "NGen Worker Process"
2⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 4ac -Pipe 4e8 -Comment "NGen Worker Process"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4d8 -Pipe 4a8 -Comment "NGen Worker Process"
2⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 4f0 -Pipe 4ec -Comment "NGen Worker Process"
2⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 4ac -Pipe 4e4 -Comment "NGen Worker Process"
2⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 4d8 -Pipe 4f4 -Comment "NGen Worker Process"
2⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 4f0 -Pipe 4f8 -Comment "NGen Worker Process"
2⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 4ac -Pipe 4fc -Comment "NGen Worker Process"
2⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 4d8 -Pipe 500 -Comment "NGen Worker Process"
2⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4f0 -Pipe 504 -Comment "NGen Worker Process"
2⤵
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 4ac -Pipe 508 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 4d8 -Pipe 50c -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4f0 -Pipe 510 -Comment "NGen Worker Process"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 4ac -Pipe 514 -Comment "NGen Worker Process"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4d8 -Pipe 518 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 4f0 -Pipe 51c -Comment "NGen Worker Process"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 4ac -Pipe 520 -Comment "NGen Worker Process"
2⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 4d8 -Pipe 524 -Comment "NGen Worker Process"
2⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 540 -NGENProcess 4f0 -Pipe 528 -Comment "NGen Worker Process"
2⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 544 -NGENProcess 4ac -Pipe 52c -Comment "NGen Worker Process"
2⤵
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 548 -NGENProcess 4d8 -Pipe 530 -Comment "NGen Worker Process"
2⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 4f0 -Pipe 534 -Comment "NGen Worker Process"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:316

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:584

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2360

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
2⤵
- Modifies data under HKEY_USERS
PID:1576

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
2d87fda064fed4aaa07cb5c35fbfeb0e

SHA1
a43639418abfd88a59c5115ccd3a5309e4ca6128

SHA256
f246c22f23ef51e595e7c57cd29fbb3068e61af5c3d9aa671bec9d17e182faf4

SHA512
3428df37db6318ff357c77a37c565e26caf106a787c9ebcb1afc52c44d0352b3927feaa4be8944fa911d4d3e4f1d08514769dde01c213eaa8c043c389e835809

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
e419410221fbdd0da69155ac12980c51

SHA1
796505863e73354bfcb2b1fe6bad951bfa0018d8

SHA256
b3a71365d44c2b3ec85c2ff5f281b7fd56b21b7081e8e005da5a85cb619bb0f8

SHA512
e72c3855a38d25a4d97744abf0eae4cff06543e3211ebfde4394045389162fe4cbd4fdb0a7d497e5ec1b8a277b8954e751b793acae5436a34a20fa140ccbeb4c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
9ae5da7c98c0b5cae625f606511f0e85

SHA1
6ae34248b239df27ec6626fdb787ca2e27b8efd3

SHA256
6e412544a3cd32cdcc4b02a61be0722b86bf1f74be5eb63d394cad3caa8399fe

SHA512
83dfd727d883423dfcbfe6e9ea101c94a40ffa0f1d134e711e0e968b36e2b38bb126f38b4e7d8956b82f2ad0c0fa589b67374c6c09b5f3616288ed9f52d64865

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
73567e54f8a30c01cdc81efa0836e08c

SHA1
f9cd913aa69315541a405bf5a0507fae10797171

SHA256
db223c5c61ee8c28070f07aecf0a2823b3e9a1ca7e98d3548e8c6b76bd648ee5

SHA512
ee10681d0816da3a628eb81ec24dcf1c047273d60e1cd1102d60c7fd8c310e53e74e9047974653cc3dbd179feffc2a5aa5e9126dee513d16b4d58ab4fee40147

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
9a6288b51318ba03a5a54fc71213a664

SHA1
90c023ded8a84de9a7257b7a9a4b6b3e05708121

SHA256
5a22e422c69aa663aa0a354694d91b6d3a3e1ec6841a7aebcad078fe834f5976

SHA512
1e6f8fb28b0680dd7a7cba9506640dda49ed0aefe430e09fa2820ab70c60cc95dbb64d544ea2dceb4105ca7d7dc3e5be3c7ed288c52cbfe0d95956d8af1360de

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
2e85a9427de9836eb7a6740f54c7aa81

SHA1
96a10edce7749ba3b577f365531b34b9891d9c92

SHA256
0ee157f3da590b2aa858bfce322e8e8e0d5ce6847868f4f725c79497b273b8f7

SHA512
92d54d221c31f62350552d4e47b1ad5d74a24ea50ff725999ffecc6a8957ab4decc593473552de1f593ca7d045e514ff4b05c6a03b4dbc668046ba1d1cf55ce2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
aaa2186d0ef4bbfef90ce52f63982f4d

SHA1
c48107c45031d80f90b3cd5516a5725358f6cfcc

SHA256
f6621ce23417b8cd4e2988fb8dd5cf8c654de06be148608758788252fc2b87d8

SHA512
393166505ebeed19a78579a7554ce2f2ef8df7454dbc538db64a28dce04340a37779971e5d4fc97414fd50c072ac23b909205741d862f2b2cdd40d9b41ef8ff1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.3MB

MD5
44ae32722efc6604063990bbd696f89b

SHA1
a9ecaaedb570bacb1090fd1833277ab655af33a3

SHA256
7e78cab096ac72fd2256a6cc2c5d5b7bd4272f46855fa0524101b5fc81cbf356

SHA512
b02e1f266851a9a1bfa6ebcc71a4e2e5b2e50488d9f3775fcf7043050958c4b3317555867dce6200dab84f8eefc460847f5c27027fc374da7732227175267422

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
93202c744b284e1529272f36f30dd0f8

SHA1
1494844754567585b3533badcf8c5db979b8eec0

SHA256
97ee3927820849d557a5d66520e4d2deb50093f66acb68e5b76912d7244535ea

SHA512
ae7f81f63f8fd4d366bcd95852b30f28868c8055795d78354f7905ed21a0b7fd8eb3c9aa37aa5f54f580b7f2502a80bebc463e82c928831eb6b3b0480c429ae7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
e53064ba48ff41f90a8a34cfa0e05fe8

SHA1
3294233bdd572f27d633820b35f0270a38aeb1dc

SHA256
a15a1f233ec9cb6d890e8a139409fb170fbb566def25b0ab28a6de794a03906e

SHA512
adf237c610f9bf9d0b7e08aa308e268b68d32d205841eba7e582bc187761c029deeaa625ae56b0e27d4d79d3446bfe0df14c3fcd6665a3c9c043fe58c3263b74

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
138a3eedf59c3c576ffafff34ade441d

SHA1
4c508688f591f995576be6f992ae4d54987ea160

SHA256
1f06f2c1ee7d942a78dc3568b86548091b346eae139cb38998b2c8d97ec3608c

SHA512
736252fbb1871192d12d729eac55b7f8fcb566954c8734a99a64c0bda1d7b398236b169b4f5812baa689bd6063f33a27c1633b229bfd719d6454787c23672fc6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
709617d76007f7ac342f7e9842b7048e

SHA1
126f502b96cdadcb46e68f5280ec6ebc4f850fef

SHA256
6e84ae2157fc2382a4a80582885ce0a93782f78b0e0ee6b9f70fcefe070f55ce

SHA512
193436e5d94f2f8b2196c37f723e163a054f46f4b386e8acc8a7b19fe06811e21b1454c816abf3b22cb44d1e065c09f995fc027a200bf56df3daa38b669b5f0e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
b68ac88b049c3230d073c3e99ea34b5f

SHA1
84946362ce63571879a19395ee0fb2b6d36864eb

SHA256
496b8fcb128413f0dba3cbb3c9218f62255a51526db5c720a49a6390695d2866

SHA512
095c73c74fee47d7967757ca43c7d4d07c4ad611ae93c8f9c2bb5c67902d6594968625016e540fda20e9173838f4c425dbe372aca5fb8b3cb0d692bf1b4d36d4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
086e3915939cc7a96f17e3da691a28f2

SHA1
9d98d53a4c9d6b86bbdcb85fd86f02ff3492ae5b

SHA256
b8f559d713abc1da8c6a48b4521038c0ce1fe48e1a7ddf614d55cc60e7e3c20c

SHA512
ac7471aee9210b7f64bfede916cd5a4fb02d330f299f7f64e4f1162e8e3871cd43d9d3094c03d8d0a4dd413bbab3a4532e191b736dba5b9120c620e5107bfec9

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
2e54cd07dd0bb82bdd3512992cee4ce2

SHA1
bfa4353722531217376ee1d3770197708b9e8bfe

SHA256
f7949c86fabc717ab3d783a6f55d58968648000949ecc685a7198ada5179f6e5

SHA512
76c96a7f3dd48bbe69d20d1c3226a1a7a0c43bf640860497fbc0184ac7d73bef7995e458d8d1178c38df9b6e28fc8ecfff30048ca867c70f347e54d6281284a5

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
1952725f2d947299f6b184468bf01a0f

SHA1
a332709ef03b2a5a57e5f09851e3003ad433fd4e

SHA256
8451302b7de28c35419c5c23ddc981c6cb932204b983ebd0d46b2d21b152fe54

SHA512
f93172695239dfd88b4782e51fb80e1b77accf88b3cc9f4a7539cfef5c4c4a036cc28645ec5473502f138809b77409622d5bfe36ddbd1c8a7112a7286cf93394

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
afdf8d77c3d86b43356885cbcda0ecc2

SHA1
ea053b0145b0dc0e6855237fa25d3cfae3a758bc

SHA256
aee5b2716d4e7dbde8f211f21aa72887f772022858a9b93fca7f256de676fe37

SHA512
ad39cd54ac1e1385519e7488f272cfd33dcf0e28cc00dd558b2f20ec52344fcb5c7cab19288b12188af6c5bcc1e93b3ca7c692f57a9f2964317f3ca09bda0f26

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.7MB

MD5
d5aad4bcc1b377b276dc9e355078b89b

SHA1
64e6da1869369c15d5ab0a73f39bcf7172988555

SHA256
aa889dd3c9b5246da817f3c87d14023c59dd2d900aa04385c9eef6bf400fda9a

SHA512
2f5605cfb441a4fe1425b1464c0df203acddca2698f9ab2066f154e2fc9bc37e673b93e10b707255efed3e786557bb49642967737b4798b5cf313116f56176ea

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll
Filesize
158KB

MD5
a763a9348ab4ee3bd593bb17d854e51b

SHA1
4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9

SHA256
b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b

SHA512
e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
Filesize
157KB

MD5
7bdf8e0c9aa04b71a52dd964005f4363

SHA1
a87e809146d3c70093a189c37f0a96b8bd0ce525

SHA256
0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b

SHA512
4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
Filesize
607KB

MD5
e9ca062e4958cc25400c804029a5bf62

SHA1
1ed4374d0d0f568936fdebe17d9110481d6b3344

SHA256
a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0

SHA512
43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\acc554a0a5017d1e96555b76a8ce47ae\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
0c23312c2ab79717758fd89dca4278ad

SHA1
d22b3904487bb8e87eb0ed4e1cf32d395d134edf

SHA256
c1ad11f14dcf5fc3e0eafd32f3b320c6c92711d32170a3cdf86f365cad41c7c0

SHA512
ee27c4f61e29d4001fae205ee5b770a11ba6c1269f366a4409d10061cba59d2c0f9a71dd9a5127c1b274fd05b211b56181b287d1b37887acfcec74f4b7e094ee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
Filesize
141KB

MD5
58cacef7cbc000bb5ddeedc08a598f36

SHA1
f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7

SHA256
124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270

SHA512
9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e53ef2d50f8968101f12e11a0527b247\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
5faf3b50b1973c3a4375add2486bf4a2

SHA1
0e6030918b2e9236cc7391b71e1e776c70297f96

SHA256
0d6e2bc8c3c58f05747c24bf8abd54dc4d1bbfc5e806b313234f3366703d9267

SHA512
aca0a03ca1c716b55db87527a42e1a375f3e088cc14986440daeff30fedd90a3aacd6b9098f2a747069269dff32d67057a39f199aa68a4bf5c5fce79b6690811

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f3b6655da65b5888f988ac85e45260c0\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
6233bba6e631fdb4ef0a59f5eff05ac5

SHA1
c43f09ef494a39b917fbe9cdf337eeea93b6112a

SHA256
d1ebf063f8bafee8e5b2bf89141652a8a31612570e2b57337d0d11e063b4b2cb

SHA512
8978cfb66e739c232c707e6b2f850f390831e1764de3a3a3943df7dd1f8e60bcc18376b651334031bfb1f25ebf3e6d4c5a6107546e203028962d17222fcd073f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
1830067086892f6f0ee7544042ad6ae3

SHA1
41a2c97a35e29aa48cb278ba6ce7b1011ec74b6f

SHA256
759f2eb1a17a55e672a2a9e215f36bd2e4a7ea1084f5646900ff097da504424f

SHA512
25e08689f5fd1f03dc8c5be532d3f92d39ad3271a99cf47e31766141b3badc0d819faadf38e0512d3781ba83d5836e1c89d2665d5e3fc5963554481dacec4a69

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
caa4c37a58727d8440f261999677fcff

SHA1
756dee773f4217d027e384138c693b690b00e629

SHA256
aba13cc0d07ac605c6ffa15a96eaf743ed34c57bb6e0a6d5add820eccd9b36bd

SHA512
5d20a58954541875150037ffbcb305fc77f42f55f0be444653167aa1c33a4a832fe2043ac9a590a0b70ac685d8eb4eea3f01dc7f80b4d6ceb999af9cb147b895

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
71102d23419ebd7bcb21b7b638bd743b

SHA1
33547c14f94f92ac256de30dc28de35bde4caf9c

SHA256
ef871bf682c773e9da6d60d37c49f9a6926a0c4806180e7ce51574cd8411b020

SHA512
98fac26f4577f2bc71a45d2f3f7105de6fee83ae58ec776d9711d3f2a172b61d833bab32eeea3b77d9468e925b8b69be1873c41c9bf6f199bc1b79d7da4e7a0d

Download Submit
\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
863aa971c498bb18fcf17484149d7055

SHA1
5d10785f6a8b3198d5c5f45cbf66d068455559c8

SHA256
6be395aa25ec241cf5cc6ab160e733e1c2a689f0ef7ae51a5ce9460597bb7deb

SHA512
4253f4775697caf23dd12d4fbf6c548ba0520b311b590cd03af3dc320b8d874fb342c14591bca7f2a4c96378e53dcd8bcf0c6b977c381b4fb06f8388bfc9454c

Download Submit
\Windows\System32\alg.exe
Filesize
1.3MB

MD5
a03c8791000b709914d2d57252be74d4

SHA1
7f03f54ca06b267655ae1053b9852dedabf9b12f

SHA256
bfa994bdba3daa22e3c05a61e20ff924ddbd5bd1625eb4142c111e3cad3d24c3

SHA512
90b09682d41d2760f7b6a70359dcf118ddc57f42b3a3665df474ec0aaa0ec5b4105467564e8a07da1cfeaaf720df9950d7745f318db16d6c317bb0d20f116ecc

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.3MB

MD5
1056434ae960e805461da23df35d1d12

SHA1
15e017aa46edf08ba1b3cea2a0af7930dab4997e

SHA256
7e8231726f8015dfb6b0ed0f2d338d68bd6f9611217a058f066e46868688b541

SHA512
6cb00998c6389f4807269b310550cf496e8f47b3c335bd0d48da745bce0adc5d7390d8f88629a7dce5c8a5ca5f0b4792d4341a6a04ffcd080a74a7817af2213f

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
e7797926f63d0cb5638547b47850afbd

SHA1
e7a3904c4054d3b09f65c494bc1045e4ace24552

SHA256
08e89a334906faa83282e91ae697ebbbfeb226e930c7796cd64932d0137e5eb9

SHA512
b806f779cf3b8d6850ed0d8a09f637c20ddb1dde7c71765e54f2050e2538e3be903074a8e9196e8e1982210265d7564011be74c7407ec06afb13dd7f5ce87a05

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.3MB

MD5
ea44285f052e39ef11ecb057f4fc089f

SHA1
86322da368e954220d32eaff3e31ec8ab78d885e

SHA256
0189dc392610a9ed9c585382f0dab1b085a48d2a6d017851de398da06b9a32da

SHA512
58c520dd9a672ddfdeea5e11b0f644aeaaabeec7e0f525db262c6705f8e5f3a978d673a867d2dfc418ee2757334f6228b972e698b40f300571fe6b44aefc3d50

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
d7b7cb03addf78b35bded3bc0ef6267c

SHA1
f351e8a5039a6d253cae8faedd9460a59e1a34b7

SHA256
22706624c6fed4a2bf91c42a66e8750303db838bf5bc669a0a640f571ef47d7d

SHA512
6bf24fe940710cf0e53a960e6f48e057bc2850ed709e89a7a3918efa9653df4337ab2e4037a2b3e9c09cf9ab32f15a1ee96204f5913b1cebe996271860b2e525

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
340ee755b202cb61bb098de0780cfddd

SHA1
32d9b3714e42c73383f54c568b8b8c7f78fac08e

SHA256
d49d238f5a54e83be624c36ea9e2552b1e6f3de86f40680be39a89b2ec7faa56

SHA512
43716d3cece2e3d5701a39a238b302822d1e8480a0f1cbbe6c95ced7b71c1da1e81701716ead25b0e557ee9a6912d3c7a85f90fd49e0b6b6dbbf321fc57a6d31

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
5834cbdddce47e93035af8ef3b7360f6

SHA1
f7fa61bd31b3037077ce9d5ff1dd5c9e67c5aba8

SHA256
5b7c75f8c4de3864f9587bcbeebdf115ce97a1d707154bc41ff5df2a391c2375

SHA512
a7efc1c00b58186e8e7c4082eb33b904dea054436b8be809a1af36a2d73227b9745038744e2218bdead1464b0dfc176bbd2cb64ebaddae794bcd1f9070a95ddc

Download Submit
memory/316-107-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/316-112-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/316-838-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/316-103-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/316-97-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/316-207-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/316-113-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/584-120-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/584-114-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/584-782-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/584-219-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/872-426-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/872-465-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/948-165-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/948-240-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1092-224-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1092-135-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1152-152-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1152-233-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1524-313-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1524-285-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1572-83-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1572-92-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1572-89-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1572-178-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1632-315-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1632-407-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1672-480-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1672-459-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1688-253-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1688-197-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/1688-175-0x0000000100000000-0x0000000100209000-memory.dmp

Filesize
2.0MB

Download
memory/1688-284-0x00000000005B0000-0x00000000007B9000-memory.dmp

Filesize
2.0MB

Download
memory/1736-140-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1736-799-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1884-602-0x0000000003DA0000-0x0000000003E5A000-memory.dmp

Filesize
744KB

Download
memory/2124-132-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2124-12-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2240-169-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2356-497-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2360-300-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-202-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2376-82-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2376-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2376-6-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2376-1-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2432-301-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2432-783-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2440-234-0x0000000100000000-0x000000010026B000-memory.dmp

Filesize
2.4MB

Download
memory/2580-225-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2580-423-0x0000000100000000-0x00000001001ED000-memory.dmp

Filesize
1.9MB

Download
memory/2592-417-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2592-437-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2648-216-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2648-314-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/2664-67-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download
memory/2664-66-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2664-871-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/2664-872-0x0000000002280000-0x0000000002308000-memory.dmp

Filesize
544KB

Download
memory/2664-873-0x0000000002280000-0x00000000022A4000-memory.dmp

Filesize
144KB

Download
memory/2664-874-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2664-875-0x0000000002280000-0x00000000022AA000-memory.dmp

Filesize
168KB

Download
memory/2664-876-0x0000000002280000-0x00000000022E6000-memory.dmp

Filesize
408KB

Download
memory/2664-870-0x0000000002280000-0x000000000236C000-memory.dmp

Filesize
944KB

Download
memory/2664-72-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download
memory/2664-177-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2664-869-0x0000000002280000-0x000000000241E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-868-0x0000000002280000-0x0000000002324000-memory.dmp

Filesize
656KB

Download
memory/2664-867-0x0000000002280000-0x000000000230C000-memory.dmp

Filesize
560KB

Download
memory/2664-864-0x0000000002280000-0x000000000228A000-memory.dmp

Filesize
40KB

Download
memory/2664-866-0x0000000002280000-0x000000000229A000-memory.dmp

Filesize
104KB

Download
memory/2664-865-0x0000000002280000-0x000000000229E000-memory.dmp

Filesize
120KB

Download
memory/2720-221-0x0000000100000000-0x00000001001EC000-memory.dmp

Filesize
1.9MB

Download
memory/2732-46-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2732-36-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2732-29-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2732-28-0x0000000010000000-0x00000000101F6000-memory.dmp

Filesize
2.0MB

Download
memory/2752-16-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2752-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2752-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2752-139-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2772-254-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2772-771-0x0000000100000000-0x000000010021B000-memory.dmp

Filesize
2.1MB

Download
memory/2784-291-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2784-198-0x000000002E000000-0x000000002E20C000-memory.dmp

Filesize
2.0MB

Download
memory/2808-765-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2808-248-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2876-457-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2876-238-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2996-288-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2996-50-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2996-49-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/2996-56-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2996-249-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2996-76-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/3016-271-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3016-774-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download