e9be9f73b8a887efad7ac1c0878b658c2f1c4f3e6b36b9d05965a3f6bfb50056

Analysis

max time kernel
141s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Size

712KB
MD5

1efa52c086691b0464a0b289b352bb5c
SHA1

85296ebd43a1e4b66fd724ca3d5aaea4ddc7a58f
SHA256

e9be9f73b8a887efad7ac1c0878b658c2f1c4f3e6b36b9d05965a3f6bfb50056
SHA512

6de7f45f619cfd51f7aa9f925aea126dd23ba67698bb9aa8abebdcd2e724d02e48fcdd42765732941980514d7604e347d8a563ef953963c52ab419d558141180
SSDEEP

12288:MtOw6BaiTduSZpUdxB30GHrVxGnXQSaWt+DNISOgv3isiyWcg:i6BlTduSZpUR0GHrVQ1aW4mSOgv3isi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
1680	alg.exe
2916	aspnet_state.exe
2520	mscorsvw.exe
2416	mscorsvw.exe
3004	mscorsvw.exe
2352	mscorsvw.exe
284	ehRecvr.exe
2152	ehsched.exe
1780	elevation_service.exe
2236	IEEtwCollector.exe
2128	GROOVE.EXE
1236	maintenanceservice.exe
888	msdtc.exe
2844	msiexec.exe
872	OSE.EXE
2084	OSPPSVC.EXE
2504	perfhost.exe
2624	locator.exe
2840	snmptrap.exe
324	vds.exe
2424	vssvc.exe
2528	wbengine.exe
1816	mscorsvw.exe
2328	WmiApSrv.exe
1720	wmpnetwk.exe
112	SearchIndexer.exe
2800	mscorsvw.exe
2524	mscorsvw.exe
1796	mscorsvw.exe
1604	mscorsvw.exe
1584	mscorsvw.exe
2144	mscorsvw.exe
1968	mscorsvw.exe
2188	mscorsvw.exe
1120	mscorsvw.exe
2560	mscorsvw.exe
2564	mscorsvw.exe
2664	mscorsvw.exe
2176	mscorsvw.exe
1244	mscorsvw.exe
436	mscorsvw.exe
2852	mscorsvw.exe
2524	mscorsvw.exe
2664	mscorsvw.exe
2332	mscorsvw.exe
928	mscorsvw.exe
1576	mscorsvw.exe
2640	mscorsvw.exe
2100	mscorsvw.exe
2692	mscorsvw.exe
552	dllhost.exe
2524	mscorsvw.exe
2572	mscorsvw.exe
1700	mscorsvw.exe
2692	mscorsvw.exe
992	mscorsvw.exe
1232	mscorsvw.exe
2748	mscorsvw.exe
744	mscorsvw.exe
1432	mscorsvw.exe
900	mscorsvw.exe
1040	mscorsvw.exe
596	mscorsvw.exe

Loads dropped DLL 59 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2844	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
756	Process not Found
468	Process not Found
992	mscorsvw.exe
992	mscorsvw.exe
2748	mscorsvw.exe
2748	mscorsvw.exe
1432	mscorsvw.exe
1432	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
532	mscorsvw.exe
532	mscorsvw.exe
1232	mscorsvw.exe
1232	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe
2988	mscorsvw.exe
2988	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
2412	mscorsvw.exe
2412	mscorsvw.exe
1632	mscorsvw.exe
1632	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
748	mscorsvw.exe
748	mscorsvw.exe
1308	mscorsvw.exe
1308	mscorsvw.exe
2112	mscorsvw.exe
2112	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
1652	mscorsvw.exe
1652	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35701724ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19E7.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4183.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP992.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24B0.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0B.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A3F.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2942.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B35.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0f199f3c3b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2628	ehRec.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
2916	aspnet_state.exe
2916	aspnet_state.exe
2916	aspnet_state.exe
2916	aspnet_state.exe
2916	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: 33	1672	EhTray.exe
Token: SeIncBasePriorityPrivilege	1672	EhTray.exe
Token: SeDebugPrivilege	2628	ehRec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeSecurityPrivilege	2844	msiexec.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: 33	1672	EhTray.exe
Token: SeIncBasePriorityPrivilege	1672	EhTray.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeBackupPrivilege	2424	vssvc.exe
Token: SeRestorePrivilege	2424	vssvc.exe
Token: SeAuditPrivilege	2424	vssvc.exe
Token: SeBackupPrivilege	2528	wbengine.exe
Token: SeRestorePrivilege	2528	wbengine.exe
Token: SeSecurityPrivilege	2528	wbengine.exe
Token: SeManageVolumePrivilege	112	SearchIndexer.exe
Token: 33	112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	112	SearchIndexer.exe
Token: 33	1720	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1720	wmpnetwk.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeDebugPrivilege	1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1152	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeDebugPrivilege	2916	aspnet_state.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	3004	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1672	EhTray.exe
1672	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1672	EhTray.exe
1672	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
2512	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
1216	SearchProtocolHost.exe
2512	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1816	3004	mscorsvw.exe	52
PID 3004 wrote to memory of 1816	3004	mscorsvw.exe	52
PID 3004 wrote to memory of 1816	3004	mscorsvw.exe	52
PID 3004 wrote to memory of 1816	3004	mscorsvw.exe	52
PID 3004 wrote to memory of 2800	3004	mscorsvw.exe	57
PID 3004 wrote to memory of 2800	3004	mscorsvw.exe	57
PID 3004 wrote to memory of 2800	3004	mscorsvw.exe	57
PID 3004 wrote to memory of 2800	3004	mscorsvw.exe	57
PID 3004 wrote to memory of 2524	3004	mscorsvw.exe	76
PID 3004 wrote to memory of 2524	3004	mscorsvw.exe	76
PID 3004 wrote to memory of 2524	3004	mscorsvw.exe	76
PID 3004 wrote to memory of 2524	3004	mscorsvw.exe	76
PID 112 wrote to memory of 2512	112	SearchIndexer.exe	59
PID 112 wrote to memory of 2512	112	SearchIndexer.exe	59
PID 112 wrote to memory of 2512	112	SearchIndexer.exe	59
PID 112 wrote to memory of 1364	112	SearchIndexer.exe	60
PID 112 wrote to memory of 1364	112	SearchIndexer.exe	60
PID 112 wrote to memory of 1364	112	SearchIndexer.exe	60
PID 3004 wrote to memory of 1796	3004	mscorsvw.exe	61
PID 3004 wrote to memory of 1796	3004	mscorsvw.exe	61
PID 3004 wrote to memory of 1796	3004	mscorsvw.exe	61
PID 3004 wrote to memory of 1796	3004	mscorsvw.exe	61
PID 3004 wrote to memory of 1604	3004	mscorsvw.exe	62
PID 3004 wrote to memory of 1604	3004	mscorsvw.exe	62
PID 3004 wrote to memory of 1604	3004	mscorsvw.exe	62
PID 3004 wrote to memory of 1604	3004	mscorsvw.exe	62
PID 3004 wrote to memory of 1584	3004	mscorsvw.exe	63
PID 3004 wrote to memory of 1584	3004	mscorsvw.exe	63
PID 3004 wrote to memory of 1584	3004	mscorsvw.exe	63
PID 3004 wrote to memory of 1584	3004	mscorsvw.exe	63
PID 3004 wrote to memory of 2144	3004	mscorsvw.exe	64
PID 3004 wrote to memory of 2144	3004	mscorsvw.exe	64
PID 3004 wrote to memory of 2144	3004	mscorsvw.exe	64
PID 3004 wrote to memory of 2144	3004	mscorsvw.exe	64
PID 3004 wrote to memory of 1968	3004	mscorsvw.exe	65
PID 3004 wrote to memory of 1968	3004	mscorsvw.exe	65
PID 3004 wrote to memory of 1968	3004	mscorsvw.exe	65
PID 3004 wrote to memory of 1968	3004	mscorsvw.exe	65
PID 3004 wrote to memory of 2188	3004	mscorsvw.exe	66
PID 3004 wrote to memory of 2188	3004	mscorsvw.exe	66
PID 3004 wrote to memory of 2188	3004	mscorsvw.exe	66
PID 3004 wrote to memory of 2188	3004	mscorsvw.exe	66
PID 112 wrote to memory of 1216	112	SearchIndexer.exe	67
PID 112 wrote to memory of 1216	112	SearchIndexer.exe	67
PID 112 wrote to memory of 1216	112	SearchIndexer.exe	67
PID 3004 wrote to memory of 1120	3004	mscorsvw.exe	68
PID 3004 wrote to memory of 1120	3004	mscorsvw.exe	68
PID 3004 wrote to memory of 1120	3004	mscorsvw.exe	68
PID 3004 wrote to memory of 1120	3004	mscorsvw.exe	68
PID 3004 wrote to memory of 2560	3004	mscorsvw.exe	69
PID 3004 wrote to memory of 2560	3004	mscorsvw.exe	69
PID 3004 wrote to memory of 2560	3004	mscorsvw.exe	69
PID 3004 wrote to memory of 2560	3004	mscorsvw.exe	69
PID 3004 wrote to memory of 2564	3004	mscorsvw.exe	70
PID 3004 wrote to memory of 2564	3004	mscorsvw.exe	70
PID 3004 wrote to memory of 2564	3004	mscorsvw.exe	70
PID 3004 wrote to memory of 2564	3004	mscorsvw.exe	70
PID 3004 wrote to memory of 2664	3004	mscorsvw.exe	77
PID 3004 wrote to memory of 2664	3004	mscorsvw.exe	77
PID 3004 wrote to memory of 2664	3004	mscorsvw.exe	77
PID 3004 wrote to memory of 2664	3004	mscorsvw.exe	77
PID 3004 wrote to memory of 2176	3004	mscorsvw.exe	72
PID 3004 wrote to memory of 2176	3004	mscorsvw.exe	72
PID 3004 wrote to memory of 2176	3004	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 258 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 284 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 290 -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 254 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 254 -NGENProcess 2a0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 268 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 258 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 22c -NGENProcess 230 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 244 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 218 -NGENProcess 1f0 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 24c -NGENProcess 29c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 218 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 218 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 21c -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 1d8 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1d0 -NGENProcess 218 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 218 -NGENProcess 21c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2ac -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 24c -NGENProcess 1d0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 21c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 24c -NGENProcess 2a8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 268 -NGENProcess 24c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 258 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 2a0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2bc -NGENProcess 258 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 258 -NGENProcess 254 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2c4 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 268 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2cc -NGENProcess 254 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 254 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 254 -NGENProcess 2ac -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 230 -NGENProcess 2bc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2bc -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e4 -NGENProcess 2ac -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ac -NGENProcess 230 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 230 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 230 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 318 -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 310 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 320 -NGENProcess 318 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 30c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 31c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 30c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 30c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 31c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 30c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 31c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 30c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 350 -NGENProcess 360 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 344 -NGENProcess 30c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 364 -NGENProcess 358 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 30c -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 374 -NGENProcess 360 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 358 -NGENProcess 118 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 358 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 30c -NGENProcess 118 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 394 -NGENProcess 388 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 358 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 39c -NGENProcess 118 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 118 -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 118 -InterruptEvent 3a4 -NGENProcess 358 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 358 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3ac -NGENProcess 394 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 358 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3b8 -NGENProcess 394 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b8 -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3a8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 394 -Pipe 118 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3b0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c8 -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d4 -NGENProcess 3e0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 358 -NGENProcess 3b0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3e4 -NGENProcess 3b8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e8 -NGENProcess 3e4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d0 -NGENProcess 3f0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f4 -NGENProcess 3d0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3d4 -NGENProcess 3e4 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3d0 -NGENProcess 3e4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 408 -NGENProcess 3e8 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3e8 -NGENProcess 404 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 410 -NGENProcess 3e4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 40c -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 404 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3e4 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 40c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 40c -NGENProcess 418 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 428 -NGENProcess 3e4 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 420 -NGENProcess 430 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 414 -NGENProcess 3e4 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 434 -NGENProcess 428 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 430 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:284

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:872

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:1364
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1216

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
2e103b3ac5dc92e2032b14de48768932

SHA1
a9ef6cb380379c6c5a9dc8b386aa7507911d99d3

SHA256
2935f0abc33ab454865cf587f4b5aa3addd4ef660a01fec77c94c97945d2c413

SHA512
56e7280f22d90cc1466021a328a077111f01dc7b53f4e08948ae5e559b26fc1e380df55c888e7d851ba2b98a96b1b68fbf64026d2c96306754979ed3706fae59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6b1d3c840f09acabae6614235c2c5d31

SHA1
38eb5d70ab71d964094833c4a2f88009e3c9f870

SHA256
f2e02edac38dc46d2acb2705055edc5ddbb96988ed0f8325224321432ba5be6c

SHA512
74ad679928aca56180e55a081483194210f0898ba4f0990c6e0507590ba861de260b2df4753f0559cdcbbbe66718a7a7067b0ce72ba73096e7aec285c8cb5bb8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
07016769ad2f611fae3e026223e9a35b

SHA1
d42ac411f95349f869ae302f40e695d28aaa09bf

SHA256
eb3789738bebb40a07c4c6d660d2c28a0bd85e2589951d12c22ef0fab97140ff

SHA512
77b14b39efc7294599d4b66f5e699a952303c83ecce2742899604a253fe54bffa5bc5048e800991dd3652d7ea8d4f8fd84aa29a3b8c75d662def9df188e34a07

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e2560a669696a4db8946252c237d26da

SHA1
0ddfb1abda9dfcd14ef1067c406930d3d02b5917

SHA256
6db7d82f9aa1127d299d78b2b7cb50fa0abc3ba742a77885db4f3118bb2964ed

SHA512
6b3765e0d266100fe4197ff11ba01902b75fce99a7b7332bd1895465deb503370c0d65204eb257f58a463eb9df53112eeddc6c3844681130f1335a432280b22d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3f34969ccf183fec977dd1dca453a460

SHA1
203635aeae59d6ec300e9773ffa115b36ec05b9f

SHA256
176141e6952452323768ab7178e7bf69ed285e89f40ffdee87e9c29a6dd82cbe

SHA512
77d706b49ff7010ceb8025b9c28ab890ee0e7a5b73f8c0cbed6d14bb88437e3369687ed068ba549e69da9ba5391a86f27511fe911975315ca05f7259bcc3e9dc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
21bf0049590f9d023113c6ef43fa0172

SHA1
084002ff1b75c11bad1fdc9cede5c3f7b39fb2bd

SHA256
ed5c4695366200b1b3cd899f9727cab1c8510e27f8cb82149b7aadc7567b936e

SHA512
d13b332f0d75513a6a44ddba5d21d1add16ec186871bca2ea2d6e4b9232ac25948f6e00efa8c0542fcd0f7dd34cb0010f846cbbac54aed015e92e2c017a336a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
4335c0a448ff85e71055038845a64810

SHA1
7409a0a78144cbe74d2ac7e5e3e272c80c1db031

SHA256
da61aef94d69e71eb0a44e104ad9545ea8c1516c86fa83d27616a7b0d2f08444

SHA512
346704c8343f3c25fd6873a888094f71dd88f0526b1b7a3d2d373593f5e2689be492da02cfb88e1edc40bf02bc400718e59d6dd452dd095bb5b976f725124a55

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
bfc97c79663842437a9bf03ec0a50263

SHA1
7ae815fc43ecd852f0c2c6f08145aa4fe07a8845

SHA256
c8bfa61aa3f49da06ce3692c9cb81ee9faf405b8ae5cdf2a4c3bcf634817d38d

SHA512
2f6d7843cc2967c5cfc95ebeaa430d9ef7aa47d52b5e53517be24005468e06f31d9a9881ec9c001140c685e5c5f48f07463f4dcf46ab18145d778d4d270781e9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
0329544b004392b151de44b84fc1f738

SHA1
43b7396dd8113af7edbef132ccbc2e6d023cfc9c

SHA256
fb47a2fdcfea04ab1f49a75f28834ba885087dbb1f0d0c51cadcc7ef75ad0019

SHA512
cfeb2c129477ee729ce8b54ee99f936d40bc248e05cec6dcc4e84532e2e4c342430e5fc11dad2b40d56e733bab0bc0ffaa839f3cd0f931ce2e00948633d54ead

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
88c76c95b076478829364ab9af882ab1

SHA1
0b235a1faff69cf36f9caaab5a40c912e89b716d

SHA256
0d60f00a40d3c9f615c83d131e67d926f0e494649d7ff5e735b45768a94806ea

SHA512
d2d7f6755edac0cb0c68d8351a63fb293772f1805c9ac43edaaa9c282c54747f95e5c153e1a5b6214b17e9c851c881a8b0afedbe4abfbd575d9336459fdc2b60

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9f9b4d0b193867c7e5a3d1125c399fff

SHA1
dbd057ae673b39619c230f8d549a8dcd6e196e3a

SHA256
d65f094906a4b3334b04405ea51b9342ef25ba4da4369f65d39dd47c85ec5496

SHA512
8c2ac66803eb875b051097c5a7c62d2bc829589d92c2dcd651701e9954b5902eab157aeb4116533c01f45520b8447f5fd9f5c186fab9755d5fe94a6b304a9c0f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
38b8a8b1829d562524346d8e7a4cfffc

SHA1
a3c5fdf3ea5faa186b7936d915175fe8b5ed95a9

SHA256
f1a00b1e9d5bb4d3355dc2658e2a8bba5f1f71c4c920128308dc610573d1776d

SHA512
f73281be92f1d607bbacec50ccf7911bc03b6e0c2fd0da61fd60fc9460d1af9a3f58934a02f4f5e83bbe81cf8591708950bcb4744576d588668678ff679a1d70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9502ac70eafebaf3c42d5faa159dfc24

SHA1
26c983d636de4d6ca3346effb767bd1546194af5

SHA256
31929e08505cf3d3204e45e3232138119ffb6c7fc4686a433ca26a356e016a31

SHA512
07decc5b7bc77dbca79b60fdec6142005dbd2346d765cab30511dc63eb195d348375869c883f74970ea7cd661328ac243e2a3089024c3ad6ce9f0d84a022f4fc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
787bfeb915f48f84a21665bb10733cb0

SHA1
51296fcf88a390d07fecb5d3478f7559eb272026

SHA256
d24b9313cd8db1a3be1c76b1894311319e7913e76bb6b0e77cfe333e68b95d2d

SHA512
4a8583351164c3aa864860e4e8535087f55d427a8d72c0f86dcd9536c03ae6bc8e7b28703920d26307ee61af9036787be5bdab367ce6daed01a75fd6d95e4c28

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
141bbe022262721aacddc3db7e2c960c

SHA1
67906c177d171a9641d5c8dddb7b3aefedf86755

SHA256
7d0219ddbc672ed01dd6c20b6632985c943dd7d30566d0f07bbfdd8f5bcf119b

SHA512
c9b8d6a4a11df0a9c3c3dd4e43796c0f7ad418c0f9864c6a5a05d1e3bf2b587df34e662725262455acba5e9525548c9ac92bd2796f6270023b5f80bb02cd8d71

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
a427497717884ff895cb9062052ae901

SHA1
bc6b655c671885fe05d7fe9ed2a497c7883a1450

SHA256
af0277d1fca2d4f8263c50e5282a4c38bd89b85eefac95bdaec866de42e854ac

SHA512
faca33deed30268012aa3731c6c8ac8c293490c13b2250e414a7457e2f3a85b8a139d8f78e0d3fdc1c61bcd614eb97f7c360992cd6c68d8cc267025115b57c3e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
232fa4701e7c5501473aab02d0f1cdb8

SHA1
aca8ebe5a5f57bef9bebdc00e6b537ff574a127e

SHA256
d301bf407f24507546f8460ba05d4066701cb4ecf98336343faf37acb9c16b26

SHA512
1706fdac1d84512fab4d181eeca240d9a60553fa4f9388e8f53498c64fa5a57eb23215397908c839590ea0f67dd2c7bc5fa64e96311b951682523056ed2487a4

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
0145603a980a30399f66d90089741ce6

SHA1
65f11b8e85eee1a3ed17e97ff2c413a67c1b067e

SHA256
c0fa0dc23ebd2503bb4688aab0084878460610716481e6606c680ee400221718

SHA512
62ef536a621cfd50d8ec4c415f4fcb8f437ab0aad25f662dabbd5ad149b48fbe77a582f14bbc65331cbb3749aa8805bd9555bd8191dd2c8b890a1e582ccd3b3b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
8dbb27a8071c295bb2195a97f99f83df

SHA1
3c7a0168cc360982bb325e0a7b3117637b8cd483

SHA256
92e530e3c1ffcb1cf1decea62804fcdec5f6f544588fa977767888b8ac8bef13

SHA512
e35afe4b78e2ebcd163f51b7769b4df28de07193333672068f4cffa18c121be91411b1b3f400fc3c3b4c7b7e922ab8c719fd6a023fb5693c6f7950eaf2aaee62

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
806a7d2edb608703f776057ff754d619

SHA1
b586896366c921f677f05c82c21ac550c4df8dee

SHA256
7940293b199d4cb8555a992ec01b7e7412f6b2fd405ca3b39f54cf69f1f3f935

SHA512
9604731d998fa88c432043aa55c8c380b0f3e461276138106e5217cd7243684f94a21e1ea67044c0a7c7fa1fd271cab7a6e8dadbf62faa0d29b52145bf2f137f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
5ccb72448a7708d62ceb1848d67147db

SHA1
7492c37bf2eba7baace04d7d168b4564a4d2c2d3

SHA256
274b3f0e06999269de597872224986b848f8db680b5b71e38a2159391ee72e19

SHA512
f5f34f13bfa224ec3684a00dd6365b8a5727d69e9be0144f82a60ddb997963b5b1cccecc81e0113c970cdc208fe7a32c32521d90d5d44c9c5f149e8332ae0f1c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
a29085a1fd9c1de363b205389cb5f610

SHA1
fca2bb353196db9df6babf904e3632064b2ae3bb

SHA256
ca43d605ec050df1bb878d5cf723284f93bbc6e923a34137e08dc647547abc4b

SHA512
6b0445ae3d28214ef34bce8cb9cb37bb8de0bb92231a982b6d3a631c0822579e776603ffa8d63c1bb1b71260842943b7c8d49fad87ab8f6a204a32743ffb1521

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\445f3c8d9235f360df60d6b22a46b30f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
515bd5b4cb3183faef28dcab9a242027

SHA1
e2e9b9eb75566ae0867a3c8c48195b40a88bb63b

SHA256
bb85f13052c806b9d7effd549b5a121503bae28fa60270ca4d766251bf5a3674

SHA512
4efd8b9473fe522b34328de4fa3b8a2d8b8e9cdc66ffe4f8b3c68ad78a16a8ac9dd06102f94fb0f8f3510de34a3393afb3cd105341822d4f4e391a761ce8d9b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54ba26779e6f2075f91293f4f81c2fff\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad8c0e759df25e0049d44e5aba4f3321

SHA1
4e1e19b1b5602937057170bf390db0091899af69

SHA256
4c31b7d8501b8914425568b1c3a228aeafa35b6cd6bfcd9cf55dfa511a71ede7

SHA512
f23471c6371f3828002e2ff168013cc01d7744299bd14c7d2117bc39261a9d10cf3bbbe87af08874990a2e20998ec7e3208bf16659ef9e895147e854509f88c4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\85329a05b09961178c3abc095a73cba2\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
cf64bd9d2756b397f814b1a3ddce35f7

SHA1
d66773cca71a3ab8dfdf583135d3057daf176c96

SHA256
d66f09d2df316298e73e3864ac253e2ef8410d07d8187003fc3fa4b39685027b

SHA512
9375d8bbefe9373775abbdcb51c39c7593c07542b05297580392f1a43079c850db45a899508f5aa0d4b182dd1e1972da77090e9a9fb6488676e77727a67107f2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
48748b309420bc79c24a40ac84fce84c

SHA1
a3ab728da014338b859585557a65d97cc8f7b672

SHA256
7e9ea1fee235c1caadef7fcdde02a4781d3faca1624a2b4af424835c30eadb83

SHA512
17ca1aeb840c49a0939f7f4a895f641d85e935cb8de00e298e5988062aa091c91d0ba51ce705f117ea6a842654e7630fe04665962442618df5931c6ff9f52ab7

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
bc227c63eb682d305d238192b1097e49

SHA1
9632f3819675e03b4e76af52949a919bd61ade13

SHA256
102f9809c045d59dc98e08a6d4ce60afc5d380471b306c3c2e737968b0415e65

SHA512
7c2161b1c4c5299859063cc47517bf9d73a960d1f6fa5c1ef9eae914004f997df793da1b3de8bf6f1afccb33774a359dfed607a46396421ce6caead69505b84a

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
bdc897cfd1df1e152a535c54f4f515a4

SHA1
b29ef65106122904ee0aa9bc1d9d70f2cdd4fb27

SHA256
d1c6c8f79234d01195160898bf3d791de7834cf4b27dcfdc10eed8bdcf266612

SHA512
ae8eb1bfe38df0d61127d1a8c7ac6a2ae64c6a6bd7f54e4bd74e210969303929438a7a725aebc592d8aa227287535587478d6c13bed8676ad4622fa08e80bbd8

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
fda4a9f33c8939b0625cd93eed755192

SHA1
530a93e871f9ab56834b336793d776abf1d9b98b

SHA256
9dbdaa15def7f3705d010c73d36bb23315e537f72ba21b6433eb4300b49b71f2

SHA512
66d119d071d70cb2d3b9c8bedae3fb758f6f0225d255e6eab18b0294a42a0b07c9766e7d7b95ca7114584b32969614b4ff542e934e82640f5f0c2929cf9c49ee

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
796babbf202b4c03ea01e175a754a580

SHA1
783f72cfb9356804a31aa029a5d33aa4ac74284b

SHA256
70bd3f6902936ea6246596b305af0389d10e786d47d199a0fd87f3a4b7599a4f

SHA512
b169d7942e50d47d12d29f3e96e56d2d91ba06d709a2d35be1c416158a8d97ea6eb8ae4ead7717782f4a2fc7f7a4578b03c0cdc3091844626b1360964c9431f9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
3f4da204a5ddc10c3abbd1159a052ad3

SHA1
b32ec68ced71c803e11d88f367e0e8ce9c1c1ea0

SHA256
59d0b669f63bd81b742407d5dd5047e63dc2762d22e8801d577b662bc249f8ba

SHA512
ed0213a5eb4c5f178428a9f1c52e9db421b1eda4f58ef1418e64dd1f3ae39919d3f5d2c13d4b972bbea79517927ae5abd6d722186f618f0f40a0105fdf78564d

Download Submit
memory/112-288-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/112-590-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/284-102-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/284-101-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/284-109-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/284-207-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/324-237-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/324-466-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/436-686-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/436-664-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/872-191-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/872-268-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/888-167-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/928-756-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/928-741-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1120-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1120-595-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1152-8-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1152-5-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1152-0-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1152-63-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1236-171-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1236-168-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1244-667-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-653-0x00000000019B0000-0x0000000001A6A000-memory.dmp

Filesize
744KB

Download
memory/1576-754-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1576-777-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1584-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1604-468-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1604-492-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1680-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1680-113-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1720-276-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1720-566-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1780-129-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1780-226-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1796-469-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1796-451-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1816-245-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1816-307-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1968-535-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1968-540-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2084-204-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2084-287-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2128-166-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2128-235-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2144-527-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2144-523-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-120-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2152-122-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2152-221-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2152-114-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2176-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-651-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2188-574-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-141-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2236-232-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2328-542-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2328-256-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2332-776-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-195-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2352-85-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2352-92-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2352-91-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2416-43-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2416-49-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2416-50-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2416-51-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2416-74-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2424-487-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2424-238-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2504-301-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2504-215-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2520-28-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2520-29-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2520-83-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2520-37-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2524-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-718-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-322-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2528-241-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2528-515-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2560-592-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-607-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2564-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2624-321-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2624-222-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2640-770-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-734-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-624-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-631-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-302-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2800-325-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2840-227-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2844-255-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2844-244-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2844-176-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2844-179-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download
memory/2852-684-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2852-689-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2916-128-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2916-17-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/2916-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2916-23-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/3004-190-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3004-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3004-65-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/3004-70-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download