a41c0e3394ce9539e1f2cffb71311cf031618be0c5eb2f9f5ccc2063a95c5223

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Size

1.3MB
MD5

64219d6f59e302b1e498f3454d077790
SHA1

82f52c8dd47879a81061e44291249b89a55272ea
SHA256

a41c0e3394ce9539e1f2cffb71311cf031618be0c5eb2f9f5ccc2063a95c5223
SHA512

5b48fe53586cdb645f292f0a14cf00f7adcde1f1925cfbd75697f16bd428972f16b42c556e21339045c21ff7c1b7e14cb0bdc77e54646cc1f6f35c5818ea67ba
SSDEEP

12288:6tOw6BaM+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:U6BcMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2228	alg.exe
2660	aspnet_state.exe
2372	mscorsvw.exe
2528	mscorsvw.exe
2136	mscorsvw.exe
1164	mscorsvw.exe
1052	ehRecvr.exe
2696	ehsched.exe
2708	elevation_service.exe
2272	IEEtwCollector.exe
1100	GROOVE.EXE
2796	maintenanceservice.exe
3060	msdtc.exe
3032	msiexec.exe
2808	OSE.EXE
1696	mscorsvw.exe
2300	OSPPSVC.EXE
2396	perfhost.exe
1500	locator.exe
2296	snmptrap.exe
1636	mscorsvw.exe
1880	vds.exe
1424	mscorsvw.exe
2700	vssvc.exe
1388	wbengine.exe
584	WmiApSrv.exe
2816	wmpnetwk.exe
1632	mscorsvw.exe
2360	mscorsvw.exe
1012	SearchIndexer.exe
2884	mscorsvw.exe
2736	mscorsvw.exe
1972	mscorsvw.exe
1704	mscorsvw.exe
2524	mscorsvw.exe
2512	mscorsvw.exe
2820	mscorsvw.exe
2736	mscorsvw.exe
640	mscorsvw.exe
1480	mscorsvw.exe
2504	mscorsvw.exe
2576	mscorsvw.exe
1976	mscorsvw.exe
720	mscorsvw.exe
2724	mscorsvw.exe
2484	mscorsvw.exe
2848	mscorsvw.exe
1736	mscorsvw.exe
1424	mscorsvw.exe
1600	mscorsvw.exe
2052	dllhost.exe
852	mscorsvw.exe
2060	mscorsvw.exe
2128	mscorsvw.exe
1200	mscorsvw.exe
2328	mscorsvw.exe
1772	mscorsvw.exe
2468	mscorsvw.exe
2696	mscorsvw.exe
2624	mscorsvw.exe
2400	mscorsvw.exe
2320	mscorsvw.exe
588	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
3032	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
760	Process not Found
468	Process not Found
2328	mscorsvw.exe
2328	mscorsvw.exe
2468	mscorsvw.exe
2468	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1496	mscorsvw.exe
1496	mscorsvw.exe
1648	mscorsvw.exe
1648	mscorsvw.exe
2580	mscorsvw.exe
2580	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
2856	mscorsvw.exe
2856	mscorsvw.exe
2592	mscorsvw.exe
2592	mscorsvw.exe
1200	mscorsvw.exe
1200	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\871b5019ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6FE3.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP643F.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP80A5.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP76A6.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP82E6.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E3D.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6B7F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73AA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5ACD.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050d1befa0db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050715df80db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2912	ehRec.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
2660	aspnet_state.exe
2660	aspnet_state.exe
2660	aspnet_state.exe
2660	aspnet_state.exe
2660	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: 33	2828	EhTray.exe
Token: SeIncBasePriorityPrivilege	2828	EhTray.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeDebugPrivilege	2912	ehRec.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: 33	2828	EhTray.exe
Token: SeIncBasePriorityPrivilege	2828	EhTray.exe
Token: SeBackupPrivilege	2700	vssvc.exe
Token: SeRestorePrivilege	2700	vssvc.exe
Token: SeAuditPrivilege	2700	vssvc.exe
Token: SeBackupPrivilege	1388	wbengine.exe
Token: SeRestorePrivilege	1388	wbengine.exe
Token: SeSecurityPrivilege	1388	wbengine.exe
Token: SeManageVolumePrivilege	1012	SearchIndexer.exe
Token: 33	1012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1012	SearchIndexer.exe
Token: 33	2816	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2816	wmpnetwk.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeDebugPrivilege	1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Token: SeDebugPrivilege	1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Token: SeDebugPrivilege	1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Token: SeDebugPrivilege	1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Token: SeDebugPrivilege	1300	2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeDebugPrivilege	2660	aspnet_state.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe
Token: SeShutdownPrivilege	2136	mscorsvw.exe
Token: SeShutdownPrivilege	1164	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2828	EhTray.exe
2828	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2828	EhTray.exe
2828	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
1972	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
1972	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1696	2136	mscorsvw.exe	45
PID 2136 wrote to memory of 1696	2136	mscorsvw.exe	45
PID 2136 wrote to memory of 1696	2136	mscorsvw.exe	45
PID 2136 wrote to memory of 1696	2136	mscorsvw.exe	45
PID 2136 wrote to memory of 1636	2136	mscorsvw.exe	50
PID 2136 wrote to memory of 1636	2136	mscorsvw.exe	50
PID 2136 wrote to memory of 1636	2136	mscorsvw.exe	50
PID 2136 wrote to memory of 1636	2136	mscorsvw.exe	50
PID 2136 wrote to memory of 1424	2136	mscorsvw.exe	80
PID 2136 wrote to memory of 1424	2136	mscorsvw.exe	80
PID 2136 wrote to memory of 1424	2136	mscorsvw.exe	80
PID 2136 wrote to memory of 1424	2136	mscorsvw.exe	80
PID 2136 wrote to memory of 1632	2136	mscorsvw.exe	59
PID 2136 wrote to memory of 1632	2136	mscorsvw.exe	59
PID 2136 wrote to memory of 1632	2136	mscorsvw.exe	59
PID 2136 wrote to memory of 1632	2136	mscorsvw.exe	59
PID 2136 wrote to memory of 2360	2136	mscorsvw.exe	60
PID 2136 wrote to memory of 2360	2136	mscorsvw.exe	60
PID 2136 wrote to memory of 2360	2136	mscorsvw.exe	60
PID 2136 wrote to memory of 2360	2136	mscorsvw.exe	60
PID 2136 wrote to memory of 2884	2136	mscorsvw.exe	62
PID 2136 wrote to memory of 2884	2136	mscorsvw.exe	62
PID 2136 wrote to memory of 2884	2136	mscorsvw.exe	62
PID 2136 wrote to memory of 2884	2136	mscorsvw.exe	62
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 1972	2136	mscorsvw.exe	82
PID 2136 wrote to memory of 1972	2136	mscorsvw.exe	82
PID 2136 wrote to memory of 1972	2136	mscorsvw.exe	82
PID 2136 wrote to memory of 1972	2136	mscorsvw.exe	82
PID 2136 wrote to memory of 1704	2136	mscorsvw.exe	65
PID 2136 wrote to memory of 1704	2136	mscorsvw.exe	65
PID 2136 wrote to memory of 1704	2136	mscorsvw.exe	65
PID 2136 wrote to memory of 1704	2136	mscorsvw.exe	65
PID 2136 wrote to memory of 2524	2136	mscorsvw.exe	66
PID 2136 wrote to memory of 2524	2136	mscorsvw.exe	66
PID 2136 wrote to memory of 2524	2136	mscorsvw.exe	66
PID 2136 wrote to memory of 2524	2136	mscorsvw.exe	66
PID 2136 wrote to memory of 2512	2136	mscorsvw.exe	67
PID 2136 wrote to memory of 2512	2136	mscorsvw.exe	67
PID 2136 wrote to memory of 2512	2136	mscorsvw.exe	67
PID 2136 wrote to memory of 2512	2136	mscorsvw.exe	67
PID 2136 wrote to memory of 2820	2136	mscorsvw.exe	68
PID 2136 wrote to memory of 2820	2136	mscorsvw.exe	68
PID 2136 wrote to memory of 2820	2136	mscorsvw.exe	68
PID 2136 wrote to memory of 2820	2136	mscorsvw.exe	68
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 2736	2136	mscorsvw.exe	69
PID 2136 wrote to memory of 640	2136	mscorsvw.exe	70
PID 2136 wrote to memory of 640	2136	mscorsvw.exe	70
PID 2136 wrote to memory of 640	2136	mscorsvw.exe	70
PID 2136 wrote to memory of 640	2136	mscorsvw.exe	70
PID 2136 wrote to memory of 1480	2136	mscorsvw.exe	71
PID 2136 wrote to memory of 1480	2136	mscorsvw.exe	71
PID 2136 wrote to memory of 1480	2136	mscorsvw.exe	71
PID 2136 wrote to memory of 1480	2136	mscorsvw.exe	71
PID 2136 wrote to memory of 2504	2136	mscorsvw.exe	72
PID 2136 wrote to memory of 2504	2136	mscorsvw.exe	72
PID 2136 wrote to memory of 2504	2136	mscorsvw.exe	72
PID 2136 wrote to memory of 2504	2136	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_64219d6f59e302b1e498f3454d077790_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2372

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d8 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 28c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 1d8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 298 -NGENProcess 290 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 218 -NGENProcess 288 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 268 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1f0 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1c4 -NGENProcess 1e8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1e8 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 284 -NGENProcess 258 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 258 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 294 -NGENProcess 1c4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1c4 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b0 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 260 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b8 -NGENProcess 294 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 294 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a4 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 338 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 338 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 338 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 338 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2f8 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 338 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2f8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 338 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 338 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 384 -NGENProcess 310 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 310 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1052

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2808

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:584

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1972
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2652

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
f343a781d3c9e483d9d3aa6d305b3f55

SHA1
c48cbd360b9244ff38ebd169fd09d13bb37edd87

SHA256
82541a5306999dba50efff0bffbbd1419fbadeb211c82844920f12bcd22de9d4

SHA512
f117432eeab89335e35b49fea2814f721771f033487c1fd18ecdb91c4e71f887f4dadbc91f29be0d93152566f17902f76899aae1ffafefb539712eafc9cc8a3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
cda555b7652cbbff0128d6af5f15ceb3

SHA1
a6f6b0b38b63fcf1c6ba1c682e5801ed1ef25a7b

SHA256
5e15bccbef44fee09d2f1958177fa43703417b140e13f0a8de413f825b4bdb94

SHA512
7918b5433188cf7c6a80a5b87b807160e041804311003a08e395fc8cb69e1a7e4a6a6988ac49387e088fc5772e89ed11a5cf8147ba0aba4e132abc8215806194

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
392f9a941bd21e140689e87b37e4dbd7

SHA1
df722f2d8ecd15bc534e7dc545ea0b70028d0179

SHA256
96b0aad15d298b4c35fd91af6ee9bbc24decdda448a7a6eddf7994819bc4a673

SHA512
4ee1e5e7d90ab2219784b52c02fee0181114725465210a9620ce9e60bd79d96ad129b8e7b7db25434e0263675ee91b6145ca476e85a0cdaeff03638dbb9a09eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ee5ec87f466ee232a70a60f32b63c855

SHA1
1cfb04e2baa7ae68826f8fe0058e57606db621ad

SHA256
48370afb20cbe0e15272b5f315cbb57f429f4a46c4ea3b017f2c8761143a213e

SHA512
93cc5524950385dd1e35df0522c0e07b862b944f243a3d67f36cb0fcdacb93810d3d5646aebd13f543c67a58d7a08d898cdae2ef7d61e0f90a97bae796e7d338

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
894786057c71fa2a2cb7bf4bbdc23244

SHA1
427820db90adcbf85526456e0b0c2acb5c53b9cc

SHA256
af0e4035b1f9d92e8743bb68e6372cba86fdf43c073845c96afd420ef40d5be6

SHA512
dc8fcad23daa967e37e154961a0d20c7857fad76a83ac21ed7fe24e9b75172d95992b499c0ce402b59bd1afe25d159ce01069aded4ea395e6fd4bf3abd649e70

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
8dde8c4bd45ddc48b956f3e44f1b39cf

SHA1
dec0ec8ebd884893234a2f2bfe2950271e47a2ae

SHA256
f4032c3c04feee6ec55c90f467cdad4308fdeb0e5edb6d19c5e549063bb6a853

SHA512
9fefd0133686bada8c7f0409be85fcf620de2b6edd1fa19ca0c16875b58cc1d48768ff96edeb6bb7acbb46f9410336b2e68d650f0fe9024b277fbc46c477bef3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
bf1c2f90a8dce948ebec1525a2b76320

SHA1
5dfa4b3ddf7b5a0577ea4e453bbbd102cf8a83d8

SHA256
f4c94d9241bf7c8d111a9168f8dfacbf39ce9941b0392dd9c95bbec4196afef2

SHA512
6df80cfe1079e184586ec8329d65cf9ecc4b3ee10854b0d54e3602699818d82b0ab32f9c8f6a55d95a6a92a1b316ea4f2f546394318f4e36896bd05bec6266af

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
4f3db4057d0f2700b857639895e85f84

SHA1
46d905450db3ec08231c18fb82d9aa1c12477bca

SHA256
57d0d76ce728c89a77ae5289ab5ed36b84033e1d03f7048e052b2549ed0ddbff

SHA512
0bbbcb5cd7855a2aa6393726f92d911d02f516f9dbd97601c48ed25de82465e665db33982d8f9e57bd46f671bc4536f02012a62f75d08d673878d06029dc0e61

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
cb88547cb5748a4c0939406b7258cb85

SHA1
e85e720e3237dc09e07229e5573acdd9a51a6f8c

SHA256
b4c97f5b88090ab79d7624af400462a15c0696f58347941f0b59a1697bcedcac

SHA512
60dddec91ac279231f6a6cbf2e38d9a9e6148438a991587a9158a83f2adc7a73d5fce0a24204e6ab77498e0a261a838fc45b644d0cf86e5e2cde0c31857bd1a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
43f3f62d6c6ed08571e362c429b72ab3

SHA1
b6e67d2e2894466c7d9fa98ae6ce101953d4767b

SHA256
4b75064465800b31092c43555aea87c5f42c7755c37ed7ce3039b21b5200abf8

SHA512
7a6832d11defef1899e488483441d37e8e095c640cceba600398eaad92102f773e7d017b699a20db81ae52bcdff63e615902b67165e18544aaedbd1ca496cad9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
51690112d77aae34dfba6aeb332c3ee8

SHA1
ab19346a9fe7697247573944b0736010238d8269

SHA256
266c3ca9d29a5931aaef9737ac080fd6b82b95d0caa7cebbcbd593dd68207c0d

SHA512
87c6b31ee29f7cb31603374133426323b1809dd1e9a6063273bea05d206aa94582011e24240acfe9f88e33d6473bb4a4bbfbbdd561d87e687b5b13c9a17571a6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8a7c65b00b59afe68e7e9b94c38ef7bb

SHA1
0255b266358c1ef4344ca1d52fb51f36dae55502

SHA256
8e1201d233e4bea5750a642e55a15dec7a177f4a1c282214ecc935a64bb26c3a

SHA512
3cb8db2e561eaad312074551e8d2b429d711c614a458af32d5bf3b74d7c29c8770d22f2c98e27b3036b4cdb21b85e948effa4ca82e007772641e04a05616b3d2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
f11a290f7e61f1b2426fe0f34907862a

SHA1
697e03d387a96b1d380f30930327314b022a639f

SHA256
50616b4680d848f0485cbd2b1dec56d702def05cb4ea3ddda9f6675d7dbb178d

SHA512
f6f0cba5606052eb552ffd0d3d51000f236ae49702f38c857803f8973849443cce9e41d7bfa30885cf30debd261cc40b4b20035cad85ff5343b27cd7db29fbbf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
e1b7b581b3f9a16249b67b23fd5ce2c1

SHA1
bd04852bf6c67387c2f18af74b6fc6f5d3c773de

SHA256
cb5b50f0d79be7d349867b304013e2915a13c9c3f8dfc50f6335802d70cdf892

SHA512
f478ef47ec3223c94e56e54fa976f712c21efb527b4197e7fb7ef456cbc048553b3ba708fb45c5e1dff18c74651cce2cd69e6c3fd28811650610ccd06b5c9717

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
baa54ab22284043d117ade738e5ce8d4

SHA1
857c9112f96f04c03f49c8983fc18b396f332a0c

SHA256
542b0630e94d3ef17cfd5508361829b280f83ae710f52816a6d3023c9b3557ac

SHA512
ee18926069c30abe4f6cde2d6e4bfb39bed36d51c18908bdca368ada200cc7272c28ab5553f0eceb5a82ef470d615e2c88160f688f0b5cd6133c0713db2d00bb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
cda42cd0456361fdee13db1c86e7fbf8

SHA1
e76ff5105435f728c6b9584114277de1b1972ee1

SHA256
85a3fa3981b451fa9fb471cad52afde4e3d60e0458ee1935f649c5c8dc91ae4e

SHA512
806ba7b7b62646ec66b993e85d9b088383a83505da70cbc69677f4b1eb681767f6c22f3b39c12cd4396b444514d0e6adf4a78ece6dc17b0cb85bee4464593a5b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3852199710b2d67ff2152c8911bc2387

SHA1
a3f60725a270b837d6a43748ff7015783cfb3aa5

SHA256
03808c74595d3464fadc947e3174d4f0c61c6a15729a2cfd9bf8cb1d78d1a52e

SHA512
b8b35c45f66cbbd05b7223bc5539976d1690e055bdd28278fc3e291e527f95e41af17a64da8248f7596d73b587ef1a980681fed1db4fae7174a2a81fdee64ffa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
2a7a51bbd89cc8922a4d8e42a87290f6

SHA1
9accc570446efc050c8d6b92ba29d237891b79d7

SHA256
3ad5c52917bf3997fc627b48fe46d81b52f2112d60bfb49d0feff763629bd664

SHA512
ccedef55a851ffcc84fb4380ac6267828a9e5fc14de49310ce323602e34da864ef8bed457a541549797907859949a4ed7faa4c6787ed2e313f14204282cce01a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1044e6c33e4eb893bf09d65a531a10c1\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
d907077e1a56a888703ab3ae30f4c55c

SHA1
2638283053db9833d8f08ac257894835168ffb64

SHA256
d4f6dad5ad16ab42945f961a1493eec8573bba4d350967861d9c6e57e1545ecf

SHA512
25ea933355f4ca49c6a3ac07479083b7f60c3396fac3f6702163cf1f47f79beec53d969166e0b650acffe7f2ed0a9b394eb1f9fcd0ede0b4995ce1ba9819a18c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\22d37859cff7d07a862eea9794d80cbe\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
e8eff41f5b3b3a12e71918ff1505bf60

SHA1
a698369ef2f4b326f2df9bde45d7d40844736631

SHA256
2038f867a3d41fec2fb0679cea8b8a015b40d258020bfcf85433622d54966249

SHA512
ac9a35ad47a94b930f2ea47bc70b1a064bc41d1e0e369f7d5dc7e0fbd93fff92a392e22b60c2da1331f9c00bdf52e43043614a3a0e8f776f5f28d8749ac1b6f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bedc9c8545270d97ca29c192cbc2c5db\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
5ca01e76ee2c50651a9de8a9858cbab6

SHA1
72cb563ed2aa4a8431a5c532ddae646b86657fcd

SHA256
a8b7262cf07ba32786bf85233988dd5cf6db3cc5daff6d462681488d98d9c267

SHA512
b2db0f7e5c7e9f862acc09f1ef66584d703b8517a26b735fa5a0391240e387bd73a1336d22a9e0b475af62cf253480f76c759431e313731844e0983bd6648db7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d7b29d7797fefd80a8f77c98eebddc11\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
a03c831cb51ed63213ead308a53d7354

SHA1
4f6a9189d8d56bf2449235f23cc2278bf5132b51

SHA256
130ee203551dc5378ec6c5f3a6408aa0c9f2b03e8b31ea980926f645344d939e

SHA512
ba28351932abfb7d03e01b81a6face909a573335850846507fe274b48a0ead697c71cd4743ebfa4acd8f5809ef0cecaabc43b0aea45c6d9d29fad836e5965bc0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
b1956bcb4093690ae3a3d20eb08d8b46

SHA1
7d7721248e5d5779fd52433e3d386c05fc43934d

SHA256
1f61d570c224a7467fcec9bb07884e5bd834e5d079dc47ba3ed6de5a8213b191

SHA512
4908aaab463831785314ac3cc30a51d5921127d80d0d2845fac567c5d769bcf2ae4c3a12cf7e9d1707b689508b485ec9ae3dd8461eb9fd2c989e1ce1b356c19a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
28a3a84337e2fa52d1d666674bff817a

SHA1
e8ad8a1a2e49bd8348c7454b36590e53f997c600

SHA256
89f638454f6533f937d8c7accee02faaaae95166ad4fa7525cf0b300901d72c3

SHA512
a5af44cdee86313a16fa1aa9a13443e909013328c0a86b1a0fa1e707acfc10392b694263ea1876579e22b1211e2b30d2081c47f0b634094d1d535023966f0df7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
4b2eb5b4530e87bbcece768bb7068104

SHA1
3bea96c213b4a0e9368cb81e836fd0b19d2b2946

SHA256
c1dd61887f6fe6c0e4c04928cdace4fe0488c4c0e0f92047deb82e4247aecc41

SHA512
6be4bea307fde17300e2c91cd8011d3636317dbceedc54bff54124f01aa878db90d2569d694b3027372980afb433bb1f8a6bb735847edf36c55c746c4d84ee7c

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1ad24e4ae5124a1bc551272b5cd14051

SHA1
428ae9f5e8f3ab46fa2c56d51c393422f92c63e0

SHA256
7cdee4b5773b301b1889809057d2b1046ef14f5340de34e2bb4c065a08979576

SHA512
44876ee37b03b0cad53f5feab97b3ba23fb29bf443f845cd4c2ae603fade0f9bfc7eed7338f12e72e47f45f60f0e706bfd931f572dcffff4e80520d80e7431b6

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
365240c3ca603fb777530c31d10d4f2f

SHA1
354406b8672dafa0ecd9800eaba3235bf85977c7

SHA256
99816151ce4a1c7cb7014d3dc853472d52818dee8c0cb1e5da54562e85e2af39

SHA512
7049b7f42968387a67ad1f9330b3e2fd02da0032c2d02d5bac056b5d90d90d8b98726ecb5f658f7a85c5c97e9af6fcd0aa71ec98da5de09ea705f627d78b18d4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
eeeee6fe90b8ff224855fb7c590ecd8b

SHA1
95ec5eaa7fa035cb1be7015fae84844786363a4b

SHA256
8f76cf7bca9f372c46e2dcbb72fc1810493ac69eeddb1f19d5404f8f920f4473

SHA512
ba85db2205f11be4fc8fa3faa02b216754af1fa0a284926f80cfa35d7df49b1561d8b714ee87a1a2564d8bfacefadb522ca08a2c605198c97f573c0d2165eb87

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4b2ae67157e5eeb3a2e4995028a5cf27

SHA1
ae08a26af2577beb7035d932668c2e3b255f6f35

SHA256
39529a50287a56545536b7637a3b7131ee0b4419c029d13d0b7eac201c797ba4

SHA512
ea5f254b57a03a7e108ceabdd3244451c987d07440d3b93a75e2ad25255902158115392944be87689416dfded1ebf71268a359f20044acf8580282249e2efe6c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b822716b1f1e9ea0de8a6719258bec28

SHA1
07a472e13d566663d1605bde46cb02dec7540a25

SHA256
bf47fff6002511104e3a202394bc24ec0898de2e7fe28b011a93fe48eab7e268

SHA512
1ca13f52a2849f985b6ace1e38e55d144ff8f5619593e26716068f55f85e7047ebe3623ea82ce54475de094fd5d3638f20ab01dcdfa8e7fef467f21b629996ba

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7988d77555222003f3834333c6553ffd

SHA1
6c95c9877529b914a706722d735db5932e4a069e

SHA256
ff090481a7985624867783c498a8d4e52f0ab4bddc8309523d2f3a5137746a3d

SHA512
45264ec98c340e05cabebd74b6dda25659658974a521ed38a1986ebae8db95cfb84f528d7bd7ab4d6fdcfe242af173bed9c2f4974d98f87e4f0ac6ce6bcb2e88

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
5d33fe5229fac1c0778237a6ea7d24d2

SHA1
42f43788c153a0f2b543c6b7031a148eb91d8e63

SHA256
12a707702fec5685fc4940a792136d1269648630b17f8bcab3ade014c7336876

SHA512
ffbf2d600932a65a70358067d1aff4421942b548b91d4b082bc1a1820cb0621102f93703e5d99eb16d487d2afa1aeb7084e49171bb7f99bea60ac92e01859464

Download Submit
memory/584-747-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/584-275-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/1012-313-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1012-773-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1052-107-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1052-100-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1052-801-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1052-203-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1052-108-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1100-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1100-161-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1164-80-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1164-186-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1164-82-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1164-87-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1300-7-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/1300-6-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/1300-0-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/1300-1-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/1300-99-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/1388-269-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1388-654-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1424-290-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1480-601-0x0000000003E60000-0x0000000003F1A000-memory.dmp

Filesize
744KB

Download
memory/1500-230-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1632-314-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1632-299-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1636-259-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1636-240-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1696-206-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1696-243-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1880-248-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/1880-438-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/1972-488-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1972-458-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2136-894-0x0000000001D60000-0x0000000001E4C000-memory.dmp

Filesize
944KB

Download
memory/2136-890-0x0000000001D60000-0x0000000001D7A000-memory.dmp

Filesize
104KB

Download
memory/2136-900-0x0000000001D60000-0x0000000001DC6000-memory.dmp

Filesize
408KB

Download
memory/2136-893-0x0000000001D60000-0x0000000001EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2136-62-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2136-896-0x0000000001D60000-0x0000000001DE8000-memory.dmp

Filesize
544KB

Download
memory/2136-892-0x0000000001D60000-0x0000000001E04000-memory.dmp

Filesize
656KB

Download
memory/2136-891-0x0000000001D60000-0x0000000001DEC000-memory.dmp

Filesize
560KB

Download
memory/2136-180-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2136-897-0x0000000001D60000-0x0000000001D84000-memory.dmp

Filesize
144KB

Download
memory/2136-61-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2136-895-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/2136-899-0x0000000001D60000-0x0000000001D8A000-memory.dmp

Filesize
168KB

Download
memory/2136-889-0x0000000001D60000-0x0000000001D7E000-memory.dmp

Filesize
120KB

Download
memory/2136-888-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/2136-898-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/2136-67-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2228-127-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2228-13-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2272-141-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2272-739-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2296-231-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2296-312-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2300-273-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2300-209-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-380-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2372-30-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2372-74-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2372-36-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2372-31-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2396-227-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2528-53-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2528-93-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2528-47-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2528-46-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2660-140-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2660-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2660-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2660-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2660-17-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2696-119-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2696-208-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2696-405-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2696-121-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2700-559-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2700-264-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2708-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2708-136-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2736-435-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2736-457-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2796-163-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2796-170-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2808-263-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2808-194-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2816-286-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2816-762-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2884-443-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2884-370-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3032-178-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/3032-181-0x00000000005F0000-0x00000000007E1000-memory.dmp

Filesize
1.9MB

Download
memory/3032-251-0x00000000005F0000-0x00000000007E1000-memory.dmp

Filesize
1.9MB

Download
memory/3032-245-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/3060-167-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/3060-234-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download