Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
-
Size
1.8MB
-
MD5
132cb4ec98efb04f0d95c6b2b6e12db8
-
SHA1
552b78fb5bf9f36d80ba293628a6b3c0648817b7
-
SHA256
e0fa3ed1f36249f1ffb11b2d82d28cae466d6041939b3eeb59257293333d5bac
-
SHA512
4e69489859683a7b328cec595d3ab339816bf9e289228a558fecb93c668807e89ab49e826a405a32c096bfd775b4a268a35a9ac13a9ed0ecc553f297ebdec3a9
-
SSDEEP
49152:yE19+ApwXk1QE1RzsEQPaxHNgvu6olbnoQx1:X93wXmoKyu6otnoq
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 472 Process not Found 2448 alg.exe 2504 aspnet_state.exe 2392 mscorsvw.exe 2468 mscorsvw.exe 1512 mscorsvw.exe 2568 mscorsvw.exe 1480 ehRecvr.exe 1960 ehsched.exe 1096 elevation_service.exe 3012 IEEtwCollector.exe 3048 GROOVE.EXE 2740 maintenanceservice.exe 1332 msdtc.exe 2708 msiexec.exe 2188 OSE.EXE 2320 OSPPSVC.EXE 2924 perfhost.exe 2368 locator.exe 2268 snmptrap.exe 2476 vds.exe 964 vssvc.exe 2616 wbengine.exe 1276 mscorsvw.exe 1044 WmiApSrv.exe 2104 wmpnetwk.exe 2768 SearchIndexer.exe 112 mscorsvw.exe 108 mscorsvw.exe 2896 mscorsvw.exe 2312 mscorsvw.exe 2380 mscorsvw.exe 1828 mscorsvw.exe 808 mscorsvw.exe 2632 mscorsvw.exe 436 mscorsvw.exe 916 mscorsvw.exe 2712 mscorsvw.exe 1472 mscorsvw.exe 2804 mscorsvw.exe 1052 mscorsvw.exe 1828 mscorsvw.exe 1832 mscorsvw.exe 3060 mscorsvw.exe 2232 mscorsvw.exe 1732 mscorsvw.exe 2236 mscorsvw.exe 3000 mscorsvw.exe 1580 mscorsvw.exe 2804 mscorsvw.exe 2464 mscorsvw.exe 3056 dllhost.exe 2360 mscorsvw.exe 324 mscorsvw.exe 2744 mscorsvw.exe 2488 mscorsvw.exe 400 mscorsvw.exe 2016 mscorsvw.exe 1696 mscorsvw.exe 960 mscorsvw.exe 2180 mscorsvw.exe 240 mscorsvw.exe 2068 mscorsvw.exe 932 mscorsvw.exe -
Loads dropped DLL 57 IoCs
pid Process 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 2708 msiexec.exe 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 764 Process not Found 472 Process not Found 400 mscorsvw.exe 400 mscorsvw.exe 1696 mscorsvw.exe 1696 mscorsvw.exe 2180 mscorsvw.exe 2180 mscorsvw.exe 2068 mscorsvw.exe 2068 mscorsvw.exe 1316 mscorsvw.exe 1316 mscorsvw.exe 988 mscorsvw.exe 988 mscorsvw.exe 1832 mscorsvw.exe 1832 mscorsvw.exe 2716 mscorsvw.exe 2716 mscorsvw.exe 2180 mscorsvw.exe 2180 mscorsvw.exe 2988 mscorsvw.exe 2988 mscorsvw.exe 1640 mscorsvw.exe 1640 mscorsvw.exe 1316 mscorsvw.exe 1316 mscorsvw.exe 2004 mscorsvw.exe 2004 mscorsvw.exe 1108 mscorsvw.exe 1108 mscorsvw.exe 324 mscorsvw.exe 324 mscorsvw.exe 2208 mscorsvw.exe 2208 mscorsvw.exe 1828 mscorsvw.exe 1828 mscorsvw.exe 2796 mscorsvw.exe 2796 mscorsvw.exe 2312 mscorsvw.exe 2312 mscorsvw.exe 2196 mscorsvw.exe 2196 mscorsvw.exe 1636 mscorsvw.exe 1636 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5c828432ae4ef42b.bin aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\SplitStart.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe aspnet_state.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2829.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPABD9.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA592.tmp\Microsoft.Office.Tools.Excel.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP49BD.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP31E9.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D7B.tmp\stdole.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP46B1.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000206b755196aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2144 ehRec.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 2504 aspnet_state.exe 2504 aspnet_state.exe 2504 aspnet_state.exe 2504 aspnet_state.exe 2504 aspnet_state.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: 33 1552 EhTray.exe Token: SeIncBasePriorityPrivilege 1552 EhTray.exe Token: SeDebugPrivilege 2144 ehRec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeSecurityPrivilege 2708 msiexec.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: 33 1552 EhTray.exe Token: SeIncBasePriorityPrivilege 1552 EhTray.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeBackupPrivilege 964 vssvc.exe Token: SeRestorePrivilege 964 vssvc.exe Token: SeAuditPrivilege 964 vssvc.exe Token: SeBackupPrivilege 2616 wbengine.exe Token: SeRestorePrivilege 2616 wbengine.exe Token: SeSecurityPrivilege 2616 wbengine.exe Token: SeManageVolumePrivilege 2768 SearchIndexer.exe Token: 33 2768 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2768 SearchIndexer.exe Token: 33 2104 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2104 wmpnetwk.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeDebugPrivilege 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 1176 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeDebugPrivilege 2504 aspnet_state.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe Token: SeShutdownPrivilege 1512 mscorsvw.exe Token: SeShutdownPrivilege 2568 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1552 EhTray.exe 1552 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1552 EhTray.exe 1552 EhTray.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2680 SearchProtocolHost.exe 2680 SearchProtocolHost.exe 2680 SearchProtocolHost.exe 2680 SearchProtocolHost.exe 2680 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2376 SearchProtocolHost.exe 2680 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1276 1512 mscorsvw.exe 52 PID 1512 wrote to memory of 1276 1512 mscorsvw.exe 52 PID 1512 wrote to memory of 1276 1512 mscorsvw.exe 52 PID 1512 wrote to memory of 1276 1512 mscorsvw.exe 52 PID 1512 wrote to memory of 112 1512 mscorsvw.exe 57 PID 1512 wrote to memory of 112 1512 mscorsvw.exe 57 PID 1512 wrote to memory of 112 1512 mscorsvw.exe 57 PID 1512 wrote to memory of 112 1512 mscorsvw.exe 57 PID 1512 wrote to memory of 108 1512 mscorsvw.exe 58 PID 1512 wrote to memory of 108 1512 mscorsvw.exe 58 PID 1512 wrote to memory of 108 1512 mscorsvw.exe 58 PID 1512 wrote to memory of 108 1512 mscorsvw.exe 58 PID 2768 wrote to memory of 2680 2768 SearchIndexer.exe 59 PID 2768 wrote to memory of 2680 2768 SearchIndexer.exe 59 PID 2768 wrote to memory of 2680 2768 SearchIndexer.exe 59 PID 2768 wrote to memory of 2808 2768 SearchIndexer.exe 60 PID 2768 wrote to memory of 2808 2768 SearchIndexer.exe 60 PID 2768 wrote to memory of 2808 2768 SearchIndexer.exe 60 PID 1512 wrote to memory of 2896 1512 mscorsvw.exe 61 PID 1512 wrote to memory of 2896 1512 mscorsvw.exe 61 PID 1512 wrote to memory of 2896 1512 mscorsvw.exe 61 PID 1512 wrote to memory of 2896 1512 mscorsvw.exe 61 PID 1512 wrote to memory of 2312 1512 mscorsvw.exe 62 PID 1512 wrote to memory of 2312 1512 mscorsvw.exe 62 PID 1512 wrote to memory of 2312 1512 mscorsvw.exe 62 PID 1512 wrote to memory of 2312 1512 mscorsvw.exe 62 PID 1512 wrote to memory of 2380 1512 mscorsvw.exe 63 PID 1512 wrote to memory of 2380 1512 mscorsvw.exe 63 PID 1512 wrote to memory of 2380 1512 mscorsvw.exe 63 PID 1512 wrote to memory of 2380 1512 mscorsvw.exe 63 PID 1512 wrote to memory of 1828 1512 mscorsvw.exe 74 PID 1512 wrote to memory of 1828 1512 mscorsvw.exe 74 PID 1512 wrote to memory of 1828 1512 mscorsvw.exe 74 PID 1512 wrote to memory of 1828 1512 mscorsvw.exe 74 PID 1512 wrote to memory of 808 1512 mscorsvw.exe 65 PID 1512 wrote to memory of 808 1512 mscorsvw.exe 65 PID 1512 wrote to memory of 808 1512 mscorsvw.exe 65 PID 1512 wrote to memory of 808 1512 mscorsvw.exe 65 PID 1512 wrote to memory of 2632 1512 mscorsvw.exe 66 PID 1512 wrote to memory of 2632 1512 mscorsvw.exe 66 PID 1512 wrote to memory of 2632 1512 mscorsvw.exe 66 PID 1512 wrote to memory of 2632 1512 mscorsvw.exe 66 PID 1512 wrote to memory of 436 1512 mscorsvw.exe 67 PID 1512 wrote to memory of 436 1512 mscorsvw.exe 67 PID 1512 wrote to memory of 436 1512 mscorsvw.exe 67 PID 1512 wrote to memory of 436 1512 mscorsvw.exe 67 PID 2768 wrote to memory of 2376 2768 SearchIndexer.exe 68 PID 2768 wrote to memory of 2376 2768 SearchIndexer.exe 68 PID 2768 wrote to memory of 2376 2768 SearchIndexer.exe 68 PID 1512 wrote to memory of 916 1512 mscorsvw.exe 69 PID 1512 wrote to memory of 916 1512 mscorsvw.exe 69 PID 1512 wrote to memory of 916 1512 mscorsvw.exe 69 PID 1512 wrote to memory of 916 1512 mscorsvw.exe 69 PID 1512 wrote to memory of 2712 1512 mscorsvw.exe 70 PID 1512 wrote to memory of 2712 1512 mscorsvw.exe 70 PID 1512 wrote to memory of 2712 1512 mscorsvw.exe 70 PID 1512 wrote to memory of 2712 1512 mscorsvw.exe 70 PID 1512 wrote to memory of 1472 1512 mscorsvw.exe 71 PID 1512 wrote to memory of 1472 1512 mscorsvw.exe 71 PID 1512 wrote to memory of 1472 1512 mscorsvw.exe 71 PID 1512 wrote to memory of 1472 1512 mscorsvw.exe 71 PID 1512 wrote to memory of 2804 1512 mscorsvw.exe 83 PID 1512 wrote to memory of 2804 1512 mscorsvw.exe 83 PID 1512 wrote to memory of 2804 1512 mscorsvw.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2448
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1dc -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1f4 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 274 -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1f4 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 250 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1dc -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 288 -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 288 -NGENProcess 2b0 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 268 -NGENProcess 254 -Pipe 210 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 290 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 290 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 228 -NGENProcess 25c -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 25c -NGENProcess 244 -Pipe 20c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 244 -NGENProcess 1c8 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2ac -NGENProcess 264 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 264 -NGENProcess 1dc -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 1c8 -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1c8 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"2⤵PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 294 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 290 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:1552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 264 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 294 -Pipe 250 -Comment "NGen Worker Process"2⤵PID:1036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 290 -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 290 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2c4 -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 294 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2200
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:1276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:2212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:1340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 268 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2ec -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:1552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"2⤵PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:1276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2fc -Pipe 330 -Comment "NGen Worker Process"2⤵PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2fc -Pipe 33c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:2140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2fc -Pipe 348 -Comment "NGen Worker Process"2⤵PID:3012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 314 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 318 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2fc -Pipe 354 -Comment "NGen Worker Process"2⤵PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 318 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 2fc -Pipe 360 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 318 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 318 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 388 -NGENProcess 314 -Pipe 370 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 380 -Pipe 318 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 314 -Pipe 388 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 39c -NGENProcess 3ac -Pipe 3a0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 36c -Pipe 394 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 36c -NGENProcess 3a8 -Pipe 3a4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 390 -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 390 -Comment "NGen Worker Process"2⤵PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c8 -NGENProcess 3a8 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c0 -NGENProcess 3cc -Pipe 3b8 -Comment "NGen Worker Process"2⤵PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3d0 -NGENProcess 3c8 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 1c4 -Comment "NGen Worker Process"2⤵PID:1940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3a8 -Pipe 3c4 -Comment "NGen Worker Process"2⤵PID:2788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3cc -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3e4 -NGENProcess 3bc -Pipe 3e0 -Comment "NGen Worker Process"2⤵PID:1524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:2200
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:2800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3bc -Pipe 3d8 -Comment "NGen Worker Process"2⤵PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"2⤵PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3bc -Pipe 3e4 -Comment "NGen Worker Process"2⤵PID:2224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3c8 -Pipe 3e8 -Comment "NGen Worker Process"2⤵PID:1992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1480
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1960
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1096
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:3012
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2740
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2188
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2320
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2924
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1044
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:2808
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD554ba7858e45a9519972a8f77e03a5195
SHA18857f13fe4d405975a38a8533ffaedb7e8d3fc17
SHA25690288ef0206bafa7f274ecb14ad41cce972426fd9ab8954ddf5c3e9e406e7846
SHA512e6400587a3a5befe5bc5dda1e9ba23c16a00ed986353b90f7b87b2e01367c68e2c3b909823e3cb4ad26122afc1ba6fbaf2955eb17cfcef044c52cead7f1e498b
-
Filesize
6.1MB
MD5bcf5b387bcebf1f76894d68d1f0e1b94
SHA1c61ceb82016a1876c9bd7fcb7f2ffabee7ea953e
SHA25613df81772d30c031f0f2a0fd66c79f43952c304dc5a9e381dc4830cf148077da
SHA5129af409fdf9e9db5ee7395a4bc62254f388664036491d436e62bdde07113287e14516197398a4b694986a6d4d8c27fa2d38102face94955af47752bea435d9b71
-
Filesize
1.4MB
MD5e5c6347f82a2d27f8fa6a40b72f81b5c
SHA19dc22631476520a68185bc4c423237628aa7cb44
SHA256a2ed538d4bf82b27d1ef7b6beae27250e66559f0f7609e878409c83405ff0511
SHA512f541e9fe77b5c4c351bc65160a7b6a2ac479e61db58d0ab94848a42109cd563511d974dede17d77559510475193f772ae935a6caa42664c47a3e40a06164171a
-
Filesize
5.2MB
MD5128730fb21bc063e1fc5a98037b8fd69
SHA17e5de145e289b5d35ba00a190039cb651a80abdd
SHA256f374b49aef138453bd052a5f64c7e02aac363eb4dbfbd53aa149e9f8c9d28e45
SHA5120c6a7d3a219cda312faf411023ad320d0ebd8f5527526f3fc733ca0f3fa67f6ae6e7c92cc53ccef381eaf706e0c526a734bfba70a46207982fc76f4c2a4685e9
-
Filesize
2.1MB
MD54cfaf4dd1b2ba1de8d8d234ddd9338d7
SHA12e2b7e8e2a531e473e3ec0d4a51a5ac0c55863f5
SHA2560a00d72348910ab96d97b8c5eb9287e7e1fe9ab40a3743fe037ec07105026803
SHA5127d8240606c62e420bc2be00a621a1ecb7bbfdc95502bd09d83dd060a10990fc5531fdd2f1d7984209a84762429cfdacc6dfda145718206df5e56563ed1fada38
-
Filesize
2.0MB
MD5b2e7db5f446b8f444bf4ff4b8d68302c
SHA1fab9c4c2c0fd2c0ffd3753cce2bf10ebbe4015cc
SHA256cd8b6f97c8dbf51376f8ddcc03322cf0e06ba5a76a46c144107e7249c97de45b
SHA512ee73d0909917d72c9a5eb211cc041b208e51ce02a6029af254a0b46f5382b096a7c64e54c439d8d57ce35b8d2e3705a60ea24edbf0a2b5944a3f0838fd577756
-
Filesize
1024KB
MD5fdcb52f26aac74611dce98a5cd0e0f0d
SHA164b80bf4df7b2c245b440058f6f1f6c5f650ced1
SHA256d3592539b7e99b15b40753ef9f78f1bc64d6a5a8eacdaef8b8698d9ba5f1d3bc
SHA51287f9aeebdcbb2698a664b8f8b5f7ba740f608eec3cc72746555f5f6b573952652a1750a3843d4c0265954e7b1622aab80d430fd11ddf325eb5b00eb1aac3f7ad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5d25cbda17f6370ddae45c6e3b58c2cee
SHA1b527e046e860adfa7200649c5f648c2ee3cb5eb1
SHA25695db116e4a1da35db185266bd9d638583a71374a7083a552635af3ba2db82f8e
SHA512e27f3e2ccbefb662039957656468726f598cf92e6f2795200bc7c02f56ddedeca1c0bfa952aeadc8514a0224b9e489dc35ca8c468227bcf2c5de98854456c183
-
Filesize
872KB
MD5e772bd2e6064fe6e5d27dc88abe33b69
SHA18a86c5aa58c42a065b9390830f730ac7880a2e36
SHA256dfdd57a3901ee8515b4f657c25d948f07d52e5afa33764f8e6df2ae5b99ee08e
SHA51229b3f8e80a82d80221a89fe407282e212b9b75233377c6543e3f4c1f6784e936e2dcab1b74b1ca1a08262ed47c9ec4e6b1bc19f81113ed18ad62ec7cbd368592
-
Filesize
1.2MB
MD58b5875be1c7951fc22e029b7a6602165
SHA18184f660256468d1bdf8c27c423ea56f5735c1a8
SHA2565eaf98ce5b222ffa376c471436f02dd9961f5085f460afd52ab08c0c82b2a0dd
SHA5127423e2bf12a179a9ec15494d00267769d68d9fd004b4d591205f1e9bc408f4cb0dfc3e396257772a789c26a1f37a2b64ff46dbcca475fd01710fbe5c62c84596
-
Filesize
1.3MB
MD5c5ff5148cdf0aa4b230bb077738683be
SHA1fa1124c6ee323e25618cbfea2034c8238e3f9b2e
SHA256e9fd1f5eef25e1c92f04378019edb1061cec9f8e086bc04b7e848318178e385d
SHA5125741c5eec4868f591f2f7b96d4b089a8b67916b3d02116eaae0adeded9948f01d8ec6852a4b43f90767e7a0473e773de054cda4e9a01fd2fd73d1de771dbae3a
-
Filesize
1.2MB
MD5911e49c00f8269df021737ea018675fb
SHA19a6d831a55ee47f625a930d77a289c86a5288142
SHA256894bf5e07baf2715d835e749919dff4e01e1477ea392c3154262938b32c23d9c
SHA512107bc640d45df9b0b63e4f96fc64daedc2085680e22ee8e00d28eaa139c6578568cd1d04c431996928d1f82821575b2d62453551692ce16679f50f4ee8d87baa
-
Filesize
1003KB
MD5df393b35ed465e44930b251b45b7c939
SHA104520fa1729cd481b52289f2df51afa136fa30b6
SHA2569f09dcddc1f47b63da7dd7e8c09d80ddfe666d2e378ee0f22030e9347854ab90
SHA51257a6d0dadfefd2754478fbca6a8cdb1b0ce674b2aca38d80e11b325dcbe4dc8ba5c2bfbe57035750b55891a4a170c4b4aeb48a3f73af9bc1c4d6b21db25705b9
-
Filesize
1.2MB
MD558841ddb347378874c5fcd2fa0825575
SHA1b2868cae48516f246a76d904d64496541a8dd826
SHA256d4767cad336e42b16121b8ae0f788de415196559331dbcd15400e188e4363acb
SHA512b60cad7c008c6c5dbd64b393ac0b4233f0e33ad37ec1e121761acec90ce5c778746e79e14ff9e80d1b165a4baa8cde1d62fa661bb6cc9b27afc027560ba8f50b
-
Filesize
1.3MB
MD5613e819eb81c3ef747be97b50347fa00
SHA19b96284b32a9ae1cfaab425cc6d57b4e54c853bc
SHA25627988e7174daea60eec457ee9e0117cb7a312a493b1b652ae398b41fad4b4a55
SHA5128b7ebeb2ea1422fbf66b3d13dd0f1e42ea1f81d2c1786ef65823f193cabfbd965f5494438d3fcf4c0029d2236185516eece7077bacee65d0758cd96342907343
-
Filesize
8KB
MD5076bb0568eebe95bbe4bb2b5a8ea5ad6
SHA1c74f9243bbac941472023462a6f324c526e97331
SHA256c8ad20542dfaf7209ca6beb83ea38587ecd9906949e30911db68dd76257a9c0c
SHA51282ae858e3a2f5816e9a3e2db07f4ce5ba8fbbd905871896c86bba96fc3bd472c8e86d7a425c1046b65c4281809591ca18c09ffee05427f3c304614d9e7fec251
-
Filesize
1.2MB
MD595571caeb4e6dc3c347a1aa5070c7c9f
SHA15c58ace1a7ef3274043214f665c7ef3865193b1f
SHA2564c6ca5e1cc348670a455127025c7ae5030c9d0caff28036f0830de55545c84a2
SHA512a6e1f2941f479b521de0300d649a950e600d9c1efdefbfa04d1f5dc8a388e7df97a72f58eaec10e46821e018595386a4f54e889d4cb276f5d4f4cc11064cef39
-
Filesize
1.2MB
MD5ba2091958b3c145e4a2f0824c6b362fd
SHA1ab21004787a171693ff5432bb06591de3378fdc7
SHA2567823cdfc66ed43168cc186cd48cf048934674ba0a61f4c80910ca8841c5ec5df
SHA5125b8a8baaa3e2d3b751ed30caf28fe3d0c68b24122ec947a169caa6d8b12d481af29e274119b6d62265f6ab6b2737e9af94c11505c3091616ecbb0d20df1efc04
-
Filesize
1.1MB
MD52bd1ea52a81b7b1d752e058f7a54950f
SHA1058f4978198d14275b82bfde723c63a4200ce3d9
SHA256285a677bc2a776cbc8024050d633fe6bfa13b3257b904d1a67189a2aa8c7d1f6
SHA5121770d89aeb3a3a94cfa0def2e3dd28aab6d4d853049025f442ffe3f4d7a3c576ea07b5df630ba1a18b56ce924319b1c5f8b4101ae7d3450c5b0e7b9558e97769
-
Filesize
1.9MB
MD50f5ed215cb316cee9a5e3fcc79637546
SHA16fcb54262739b3288e5005ff2a9bd580fe41a57a
SHA2567e241b8dca3dcfc98224cd751f4859c1a6809f9e60e2fcde4fd56bb776894dcc
SHA51260cbf46d7431b66ea47c988496fc83adf3b51b27340d3f8f0f0e4e1f2a8df603f4e84a4a0f2a10e00bbacf45508853f4cfc78c29bdbfddd589b6a8b17688041d
-
Filesize
1.3MB
MD53b572dbb1b64025cf0f4e755027ad59b
SHA151ded7806c98f50d7123f620e4252c5fc1b12599
SHA25661ecbf5e098016552d83c952088ea8617c2389851f81dfe55969af84dfc91dec
SHA512dfbf4e0bd020ac401b71454c1c000c889ca10160e1ced84fdd126d0f052bc70380bdf7e876e919603e78429f303689a359434c488234b9d01d9b18a3dbbab933
-
Filesize
1.3MB
MD51b2b10695fe3de350815915fb0156966
SHA100f20dc235ebbe900a64fe145a897f7ff1ffc170
SHA2562f66a49f947628b06cb2ffb6682f0bf05aa2f2eadfe4a1864477ac5136f272db
SHA512c72ef2347ae9a8b3747567fd774ad9905ec4c87c5f6d77851d405d8d1bac3946b481e69476f25edc9b9105cdb78ee31ec2586c5106ab08ea77f119b41a0409b0
-
Filesize
1.3MB
MD5af4a909dbeb803ecfdd872a02da5b8fd
SHA1f7094e5b01dd0d2c2e3c2a2abba3665696c9338a
SHA256bb63590b585645f3f2c01251d3c81743d44353027ac668555852ba0ee850fadd
SHA512fc444f666cbc60cab20ef7b5a6a0f1df2751941f6483bca3ae67025f2579d9c32f9765126af3005ca065835c88b9fae3f4cfeef973c8854412f954954124c673
-
Filesize
1.7MB
MD5a39eac375b4fd8e164fd39f4bbba0a2b
SHA145b5a41cdf3ebe838b19541c51e4b80acdccb492
SHA25654b05d0da22249a598b7c5342dcb72f91dece1c1a1b1290c774f0c8875ac9408
SHA512294f5ecf8d804927a848c20a8b796b46345f36581fead9a6b8b5734d0083e77c60ddc65ff0a42d75139d83850f231058f85a9f512f2773c280f9ba4f8013d03d
-
Filesize
1.4MB
MD50c61f8c897f962ae2f3eb6268eab2f70
SHA100c2d3cad8791b832afd7c7abd65ab761216d2dc
SHA256f8152cac37c438aa86fd385c6c8170620dbd90b2a5b814d88c1f2cb418f6b5eb
SHA51298af39f85d36942b71c39c86a251be279b2d39d30a6e21c0e0b77cc04254dd2b4b1052d0dc408e6baba06982c4116b22aef0f3f7472ed328a4e989a7047cb876
-
Filesize
2.0MB
MD54ce78b9d101ece1bc6bcc616ee3d6139
SHA1c1b177f12bd2b16e49115703d668491dab0a8259
SHA256ab9722db1b8657281eb1ce1bf120b21a79e948001448daa6758fd3cb6b13e485
SHA5120da1cf3b2a870e133ccabc07141a1a03f8933e3ba68755dfe7d2fc24cdcbaa7871ed0676ce8eb06ba8ecce8361749773d3ea326d4ce62a3dfba1577851670034
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\86ce496f78c75bcb363a217dccf67319\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5bde9efd9b4f15fe1c9b70d6110523640
SHA1032282965ff5505562c6657d245a6e2998eed994
SHA256bef0a6da9fcc7f1434040064f8ab536ad0581c222c15cdabd6d32e4646da592a
SHA5122685d81d7a1f1e8be3c36ae0957aa75d49a8d2d24b10762b74b60ccd3540ee25e70251758c5d3786ae2e16e754d6ed01fc33c8baa73576e33dbedcce11d44ae6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9c1b3d55a408e0301d23d8f49b5b315e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD550794360e935e26a836620cc65497c69
SHA155c6a99ee189298dad1710d7dac9dca2160d8949
SHA2564e2350413d92e6e3aef6c19f85e9791d1db081c1b1640496010cbc6f03e4dee4
SHA512b4e1731f7a884f2d469f5dbc0822951f648449e5bfcf29d631e4dec15b861e3ccdca27ddf5eccfab74242fb3b9aa9820794190253aad2be01d721e176feb88b4
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac162cc4022c4bb02bd37d3938f4e261\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD59388bac49bd1ee78a737c0a6c6aa9dea
SHA159792ee2e27a2bcccc309e8ce8dbdb493a6f59c8
SHA25655334adccb0379636d8e692c0b7eee56c678f7610c6ad01cbb01b073d6cce4b0
SHA5127a779e8dffb7dd41d41ddf8b6a54bf651774ec212e4199bdfc30b984c642c9891c744327a0f990880669b3b48b58e130637b065a8ab2434bc5e3d51a4ac4e8b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d7b29d7797fefd80a8f77c98eebddc11\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD5a03c831cb51ed63213ead308a53d7354
SHA14f6a9189d8d56bf2449235f23cc2278bf5132b51
SHA256130ee203551dc5378ec6c5f3a6408aa0c9f2b03e8b31ea980926f645344d939e
SHA512ba28351932abfb7d03e01b81a6face909a573335850846507fe274b48a0ead697c71cd4743ebfa4acd8f5809ef0cecaabc43b0aea45c6d9d29fad836e5965bc0
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD5980ab1f2bd3dad5723cb49c6dc566465
SHA133b7f87da96f653354e5227417fc6a430a4c53c5
SHA256842aa3e96a772c653a08eee3d1a6c3519538bbf922845573d0ef2646183ec53f
SHA5129ef77735054be9801717f563a5b526b9e34cfc7111c931d6cb64f92ab4ec87169a71abc5da2318012fcbdf5bebb696790e77d563b0e0208f03d38893a9dde772
-
Filesize
1.3MB
MD5c59e140132e00de6d1a894ee74445ecd
SHA17bdff5a8d8a61cdf86db7277fdddbadd62c80b7e
SHA2562b1fae1165b97d63a20457c4e60851cc79dfe5ccaaee7978a67a5c25e5a02ed6
SHA512944e486014209f620ae92908113d492945655f0f301cdd335b7188d82d9249d76ab243d4e12156bacda46422e7ed224ad7c0ebb8826ee8780929ec50a78e47dc
-
Filesize
1.9MB
MD5607ed974ac2cedf02bbc06e2999351a2
SHA128d48bade853ad63f4c1910a71f088fc9da6beef
SHA256da1a171b8a0c6d8cc88f82cf3121d6614db5dcf02bda41dc5736b16a38704e3b
SHA512e400163f5f3a4b65a2d6ce9d80159f18b82174bfefbd858777dcd552004e4876c1314ae5ecf0683243b23a66e0eb2ee417fd74b9401bc148e03f51b4aef07961
-
Filesize
1.3MB
MD5a5a9161fd8afc255d9f53ea70b3ec7eb
SHA11bf509e4c525e531b8ebd673dcd02667c974d331
SHA25670567f44db9b061e0fb886c7f09f03b41165ea0869abad0af5135cdf51dca4d4
SHA51283855712bc0ef8d3a642d71ce4ca079592484bf7b250d63bac8b5e25459774ffeb9fc020e6fc9b05bc955a2ba0003fe198dc6064bfde24a97506746fc17b5f6b
-
Filesize
1.2MB
MD597c65802e5a21ca025690d5100c6ff9e
SHA13f706a0e60428eecd6815c1dda548174c3b11289
SHA256397c3872c4535dac2267aec402a1f64242305684ef191037f6e8ab593172da26
SHA512b5389139f9923e389b4f8e92aa023fa120e8b1cbab5a71ee031825568580510d953a2832214a3bcdaa26c946d9104f495b9bcf81db1853ffd7b13ce29c553f3b