Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe
Resource
win7-20241010-en
General
-
Target
2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe
-
Size
1.3MB
-
MD5
943d8eb8eb32fc187ad237abdf02e76a
-
SHA1
59c5ef6ac7a0271112ac9870ce0bc147e7cc63d7
-
SHA256
aaeb6a9ba4d5654a8043380de601dbf6c188d32ce22530d6180ed87739954942
-
SHA512
4dec5d057cdbde7e569f219b51e41c22624e15369c3d7c455a86096f3c302aee669abd59e58f5ba8213bb8093fec7aa0d8a1beea75213549a349b49bfffeeebe
-
SSDEEP
12288:ktOw6BayoMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:66B3SkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2800 alg.exe 1860 aspnet_state.exe 2112 mscorsvw.exe 1596 mscorsvw.exe 1924 mscorsvw.exe 2628 mscorsvw.exe 2160 ehRecvr.exe 2204 ehsched.exe 2128 elevation_service.exe 1624 IEEtwCollector.exe 2432 GROOVE.EXE 1808 maintenanceservice.exe 2080 msdtc.exe 2708 msiexec.exe 2716 mscorsvw.exe 1236 OSE.EXE 2464 mscorsvw.exe 2144 perfhost.exe 2148 mscorsvw.exe 2576 locator.exe 1072 snmptrap.exe 1008 vds.exe 2720 vssvc.exe 2556 mscorsvw.exe 1136 wbengine.exe 1460 mscorsvw.exe 2468 WmiApSrv.exe 1188 wmpnetwk.exe 2724 SearchIndexer.exe 1412 mscorsvw.exe 2360 mscorsvw.exe 2868 mscorsvw.exe 2648 mscorsvw.exe 1944 mscorsvw.exe 1988 mscorsvw.exe 2932 mscorsvw.exe 1520 mscorsvw.exe 2044 mscorsvw.exe 2040 mscorsvw.exe 432 mscorsvw.exe 1004 mscorsvw.exe 2012 mscorsvw.exe 2892 mscorsvw.exe 1460 mscorsvw.exe 1352 mscorsvw.exe 108 mscorsvw.exe 1144 mscorsvw.exe 3060 mscorsvw.exe 1784 mscorsvw.exe 2368 mscorsvw.exe 1964 mscorsvw.exe 1444 mscorsvw.exe 912 mscorsvw.exe 1920 mscorsvw.exe 520 mscorsvw.exe 1172 mscorsvw.exe 2368 mscorsvw.exe 568 mscorsvw.exe 2496 mscorsvw.exe 2752 mscorsvw.exe 828 mscorsvw.exe 1420 mscorsvw.exe 2300 mscorsvw.exe -
Loads dropped DLL 50 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2708 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 744 Process not Found 1920 mscorsvw.exe 1920 mscorsvw.exe 1172 mscorsvw.exe 1172 mscorsvw.exe 568 mscorsvw.exe 568 mscorsvw.exe 2752 mscorsvw.exe 2752 mscorsvw.exe 1420 mscorsvw.exe 1420 mscorsvw.exe 980 mscorsvw.exe 980 mscorsvw.exe 1600 mscorsvw.exe 1600 mscorsvw.exe 1448 mscorsvw.exe 1448 mscorsvw.exe 2300 mscorsvw.exe 2300 mscorsvw.exe 2308 mscorsvw.exe 2308 mscorsvw.exe 520 mscorsvw.exe 520 mscorsvw.exe 1420 mscorsvw.exe 1420 mscorsvw.exe 1500 mscorsvw.exe 1500 mscorsvw.exe 1984 mscorsvw.exe 1984 mscorsvw.exe 2964 mscorsvw.exe 2964 mscorsvw.exe 2952 mscorsvw.exe 2952 mscorsvw.exe 2008 mscorsvw.exe 2008 mscorsvw.exe 2756 mscorsvw.exe 2756 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\84e2059d5f6c6349.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5245.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73D9.tmp\stdole.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423E.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4A1B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F87.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3801.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55FD.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4BEF.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000259b58f032db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1740 ehRec.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: 33 1576 EhTray.exe Token: SeIncBasePriorityPrivilege 1576 EhTray.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeDebugPrivilege 1740 ehRec.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeSecurityPrivilege 2708 msiexec.exe Token: 33 1576 EhTray.exe Token: SeIncBasePriorityPrivilege 1576 EhTray.exe Token: SeBackupPrivilege 2720 vssvc.exe Token: SeRestorePrivilege 2720 vssvc.exe Token: SeAuditPrivilege 2720 vssvc.exe Token: SeBackupPrivilege 1136 wbengine.exe Token: SeRestorePrivilege 1136 wbengine.exe Token: SeSecurityPrivilege 1136 wbengine.exe Token: SeManageVolumePrivilege 2724 SearchIndexer.exe Token: 33 2724 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2724 SearchIndexer.exe Token: 33 1188 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1188 wmpnetwk.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeDebugPrivilege 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2772 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeDebugPrivilege 2800 alg.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe Token: SeShutdownPrivilege 2628 mscorsvw.exe Token: SeShutdownPrivilege 1924 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1576 EhTray.exe 1576 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1576 EhTray.exe 1576 EhTray.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2204 SearchProtocolHost.exe 2204 SearchProtocolHost.exe 2204 SearchProtocolHost.exe 2204 SearchProtocolHost.exe 2204 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 1052 SearchProtocolHost.exe 2204 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2716 1924 mscorsvw.exe 46 PID 1924 wrote to memory of 2716 1924 mscorsvw.exe 46 PID 1924 wrote to memory of 2716 1924 mscorsvw.exe 46 PID 1924 wrote to memory of 2716 1924 mscorsvw.exe 46 PID 1924 wrote to memory of 2464 1924 mscorsvw.exe 48 PID 1924 wrote to memory of 2464 1924 mscorsvw.exe 48 PID 1924 wrote to memory of 2464 1924 mscorsvw.exe 48 PID 1924 wrote to memory of 2464 1924 mscorsvw.exe 48 PID 1924 wrote to memory of 2148 1924 mscorsvw.exe 50 PID 1924 wrote to memory of 2148 1924 mscorsvw.exe 50 PID 1924 wrote to memory of 2148 1924 mscorsvw.exe 50 PID 1924 wrote to memory of 2148 1924 mscorsvw.exe 50 PID 1924 wrote to memory of 2556 1924 mscorsvw.exe 55 PID 1924 wrote to memory of 2556 1924 mscorsvw.exe 55 PID 1924 wrote to memory of 2556 1924 mscorsvw.exe 55 PID 1924 wrote to memory of 2556 1924 mscorsvw.exe 55 PID 1924 wrote to memory of 1460 1924 mscorsvw.exe 75 PID 1924 wrote to memory of 1460 1924 mscorsvw.exe 75 PID 1924 wrote to memory of 1460 1924 mscorsvw.exe 75 PID 1924 wrote to memory of 1460 1924 mscorsvw.exe 75 PID 1924 wrote to memory of 1412 1924 mscorsvw.exe 61 PID 1924 wrote to memory of 1412 1924 mscorsvw.exe 61 PID 1924 wrote to memory of 1412 1924 mscorsvw.exe 61 PID 1924 wrote to memory of 1412 1924 mscorsvw.exe 61 PID 1924 wrote to memory of 2360 1924 mscorsvw.exe 62 PID 1924 wrote to memory of 2360 1924 mscorsvw.exe 62 PID 1924 wrote to memory of 2360 1924 mscorsvw.exe 62 PID 1924 wrote to memory of 2360 1924 mscorsvw.exe 62 PID 1924 wrote to memory of 2868 1924 mscorsvw.exe 63 PID 1924 wrote to memory of 2868 1924 mscorsvw.exe 63 PID 1924 wrote to memory of 2868 1924 mscorsvw.exe 63 PID 1924 wrote to memory of 2868 1924 mscorsvw.exe 63 PID 1924 wrote to memory of 2648 1924 mscorsvw.exe 64 PID 1924 wrote to memory of 2648 1924 mscorsvw.exe 64 PID 1924 wrote to memory of 2648 1924 mscorsvw.exe 64 PID 1924 wrote to memory of 2648 1924 mscorsvw.exe 64 PID 1924 wrote to memory of 1944 1924 mscorsvw.exe 65 PID 1924 wrote to memory of 1944 1924 mscorsvw.exe 65 PID 1924 wrote to memory of 1944 1924 mscorsvw.exe 65 PID 1924 wrote to memory of 1944 1924 mscorsvw.exe 65 PID 1924 wrote to memory of 1988 1924 mscorsvw.exe 66 PID 1924 wrote to memory of 1988 1924 mscorsvw.exe 66 PID 1924 wrote to memory of 1988 1924 mscorsvw.exe 66 PID 1924 wrote to memory of 1988 1924 mscorsvw.exe 66 PID 1924 wrote to memory of 2932 1924 mscorsvw.exe 67 PID 1924 wrote to memory of 2932 1924 mscorsvw.exe 67 PID 1924 wrote to memory of 2932 1924 mscorsvw.exe 67 PID 1924 wrote to memory of 2932 1924 mscorsvw.exe 67 PID 1924 wrote to memory of 1520 1924 mscorsvw.exe 68 PID 1924 wrote to memory of 1520 1924 mscorsvw.exe 68 PID 1924 wrote to memory of 1520 1924 mscorsvw.exe 68 PID 1924 wrote to memory of 1520 1924 mscorsvw.exe 68 PID 1924 wrote to memory of 2044 1924 mscorsvw.exe 69 PID 1924 wrote to memory of 2044 1924 mscorsvw.exe 69 PID 1924 wrote to memory of 2044 1924 mscorsvw.exe 69 PID 1924 wrote to memory of 2044 1924 mscorsvw.exe 69 PID 1924 wrote to memory of 2040 1924 mscorsvw.exe 70 PID 1924 wrote to memory of 2040 1924 mscorsvw.exe 70 PID 1924 wrote to memory of 2040 1924 mscorsvw.exe 70 PID 1924 wrote to memory of 2040 1924 mscorsvw.exe 70 PID 1924 wrote to memory of 432 1924 mscorsvw.exe 71 PID 1924 wrote to memory of 432 1924 mscorsvw.exe 71 PID 1924 wrote to memory of 432 1924 mscorsvw.exe 71 PID 1924 wrote to memory of 432 1924 mscorsvw.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:1860
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2112
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1596
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 250 -NGENProcess 1d0 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 1ec -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 264 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ec -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 284 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 250 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 278 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 270 -NGENProcess 29c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 278 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 238 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 244 -NGENProcess 1d0 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e4 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 220 -NGENProcess 290 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 278 -NGENProcess 290 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1172
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1c0 -NGENProcess 220 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 284 -NGENProcess 290 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a8 -NGENProcess 220 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 220 -Pipe 1c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 220 -NGENProcess 2a8 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 29c -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1ec -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2a8 -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 244 -Pipe 220 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 244 -NGENProcess 1ec -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 1ec -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1ec -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 264 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 264 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 264 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 264 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:1124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2dc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:1960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:1732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:1392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f4 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:1204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f4 -Pipe 334 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f4 -Pipe 340 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1172
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f4 -Pipe 34c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f4 -Pipe 358 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 310 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"2⤵PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 380 -NGENProcess 30c -Pipe 368 -Comment "NGen Worker Process"2⤵PID:1688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c0 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1784
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2160
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2204
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2128
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1624
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1808
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2080
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2144
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2576
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1072
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2468
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵
- Modifies data under HKEY_USERS
PID:740
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5759f951c01507e25e051f9e8178715a5
SHA1b3732011bdb3e66d0f81abd49ccc9f14460e1556
SHA256a1eb9529944d7b8a81e56bf62294a9ce16b3aba89a7a65e10d4ce1b20300d346
SHA5129eb81b2f1f07d5e31a2d7f7200ed66099c899842c79857d151ddd138d9f9927d1d381080a0fb1b5b8592d3347fd0eeb61a6521ddb3c669b48ea60adbe1001922
-
Filesize
30.1MB
MD5385e820902f9a6acea68d05cc74e0834
SHA1e273fbb2af0b0fa6c93536b42d69c7b62ab8f7de
SHA2569a95d5698336fb220c98f1edfb6d188ec77965e917c1109d7a57ef68c5b63f07
SHA512faf913764fa5eec106d043286637ae6a4fb5f3220c808aed1ba918767697928257971f26878da62256441874e9532eb2dcbdfe45b581240803269195bf6e9c73
-
Filesize
1.4MB
MD57e13caf03349bc224170eb90d9eaa292
SHA18b54a5cba2310d84fa738342bf6401c5e53f21cd
SHA2564d4920ef1df586a85c8f3e175e638edddfa9d69a14555c11e85d6e2c05950823
SHA5125808aa8e71d754a486df020eb0b18b1982e0306be6134197f745007d4527ed5b21dcb70d6314bc2296e27122d36436f543229d21209faa40e3a2fd7e0e5f499f
-
Filesize
2.1MB
MD5c02332f53d9bcaa5f768e7a4725672d8
SHA11d27d35b54863b5ebc1c2454ab52f4d8456f21f6
SHA256213724f924fab65d3106ba962ebf2e67d12b125520fec499b9889c0e11b665e9
SHA512982eaaa0aea98c081c24cb2e983a0fba9d4bb628e25243e0741f4702ffc6f30811833956c9bc4393ddaff051af3151638aa51e3ba0b170aacfb4cda9d340781c
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5025d0a8890a416db662571a1857e489d
SHA1a970182564e580e4f581011c3231cf4041109f0f
SHA2562adb67028ebf6fa674e476dbfbe1cc20e41d4c0e4dde4b5d76f0faf9090a6ecf
SHA512190d27a6f8dbaf0777131bb065f3b655763c8d4a2c1e9d552f7293978a810ee6604efb8a870b00abfc3e7269d1da5ab489d270fcba1e6a3ebaf30d345b3f7b2a
-
Filesize
1.3MB
MD547d8bd6043043ae66ce5a0f25c7683c9
SHA142e1de4817d8b32b24dfc02fd3984bed1b6d39bb
SHA2563429a06427b2959bc51ed8f83210438f66c2f636f30d790235c2f5c5f4ef8224
SHA512e8b530cd9898299015002df19d00a7a1ad2dc1028dabf249170a3ecefacedd1e76fe3bd6da6aee75b7b4c6b0037b1f5b58d990acdf042c4386c061fd7a9feec7
-
Filesize
1.2MB
MD5427e9432c35ae8f0f16591f42e936825
SHA1989df19d132a3c3dd9a9d198025654024ff5a158
SHA256166d1ed872169dadd25c54256d6cfce45353f03593db99d0cd81cf9e0147aa45
SHA5129f25482e0da0f9c0feeee467050308138ebc41f2ad865d63776716bc0c03da209d450e5254154719bf8a630f2f45a6cbac07abfecfb7829879b2caa4c74e3d68
-
Filesize
1003KB
MD590490c4414d29cfea7e8ce2ba55bf62a
SHA13d3d89950b674ed3ed1a9cd5595066b7e7ffac6d
SHA25663a9644295e61a0edf8afac94c4163dd915f1e44b911bafe590e4ae83fc1d32f
SHA51216ef6b75bedd62c502ef20e8c0e4b5312a2e21237de3102d2dc1ec1fb54f84bc9952276ce8a384a991ab0c6a1cff219b74d630e2d0c6b96211402ff67c277cc7
-
Filesize
1.2MB
MD5d8ea994663dc84c658944adbdf481952
SHA1b3e95fb5a1d4c50104b46da08994846c22c6300c
SHA2564d49b11ffc3986cd8b1623330137db26fdca355357e35b0950057c461209c8ed
SHA5126be81168f3c8bd81a0bde36d305e050db347e7dc0787e23d9364d19843093dffd7f2500108b599203f7163c368af73c6ad77bf711b31dd320a7dd673847e311e
-
Filesize
8KB
MD59354a11253ce764d9b90f1588923d92a
SHA12923046fa2835757e6bbcca10575705849356c35
SHA256d4e1993efde7f7748d3ebbdb10aeb98a70308d4949e9ea0e7ae7a9be020022d5
SHA512e862b61b3a4d765506b489ad429e71e569141b86f570064bc30f4432eca7552bc25e88501a5e10b35c58a1e3855a03a912b0f509f4d590bcef2c02b538dc4780
-
Filesize
1.2MB
MD55df2f1483a70993e7f8aca70f7866490
SHA1468bb749e601bc1fe6dd3102aa88a485073f4d0f
SHA25679a3c0da99fe5b90c69a5df707a359c78d87a7af19a40faecf28e37c52ff11ac
SHA51283f4bb4861b3f9c2f1f48248071aad6f8c287faf8f2eff9617c1d5754fc750f410056e7d4712ddf40ee6db232d6aea9dc108c8f64c3269ccb8abe60610412184
-
Filesize
1.2MB
MD500485341da380e0fdda958d169cd54a0
SHA1324858a55de8061b142af80af38461dc6bb8ff94
SHA256bae47e965150a1812daf93ae7b5efc1330135a0df06864b365bab458c429c46b
SHA512cee488318e5d415cbadc7aeee9dee2d03202a9a85e7fae887021ccbe488efb91e716063f3b5164c8ed0db646051574d5775e56aa8a176e4d50c1f6df9d39ba3e
-
Filesize
1.1MB
MD56aed5b968a0cd667ee88ce2f9a09458e
SHA1e26689634618a1410d2597c02f4028d6b39b7169
SHA2569026ab57813c96faf4fea699fbf518a314288d53e49cf5f737897691de922531
SHA512ef77400589d130db1ceecdd3cbaef402f859995dffb03d06cf4c0a177c2472ad93860c15ed94d79b55e152b7984ab2aafe9b19ece46419fc6f6f08d5879367ed
-
Filesize
2.1MB
MD5dc1d44a404cefa4e891740ff2030bbb1
SHA1cc12124e5b461d535bd3d22815f9524b7f2b01cd
SHA256e11708ff26e3ca8c81ea37c2d86de60e176b71b93884e84c0fa1dc26d1b22710
SHA51200e7ab5e01fcc02255e9a8fba9ce8e0ec53927933bc14fd2488cf633c65b12199dffa5a0faf1582920450a0ccf0344657bfded761e94b310320998a530276941
-
Filesize
1.7MB
MD542bf30c99b3716b63bf727392ab8aec1
SHA12a4777290f33fb85fc81e9ac35abb94a3bbb64e2
SHA256a0a6927b20e315a1ea281a9a34c293852fad1454a9f73b62b57960de58b3589e
SHA512239c3a5ed22d2bf36909d81a668b8a9d7ea50a3c62c07cb1cdeafaeb9b8454760625aab63be8b7f6b79ba13ded2f3645cf46fe5556752e0a49f40273a0466bbe
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1514ee33d016d4cdd664432313174458\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD549b7dfd02f97d463b9596ef98e48b2f2
SHA1081bbfb8c4c684f943440284b2e70b2eed639de0
SHA2561a500475033f98c4b27ff2d551cf32551bec0ea8da543d53984f2c0e463b2b0c
SHA512f4e167bc673bb50e2aebe4b43be0efbac944461861cbdd012227db2afd61a8a909bd95a162d8caa46edbce68f7eb72de4f1070c2b3191e9e0f836f36ce35cba8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\866ab9756fda95782c282332a2dede82\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD5f3fdc7ea0dceadf875ffc8fecffcff2a
SHA1fbc4f1acb6cd37fd4201fe08162a945b4e387426
SHA2569c294639bf122b105044019447715ae4374d9622485b672f92a312afca0327c2
SHA512ef0888c4b1935bc2b4572dee02b060d99e3de2d415e3693c4d5f7f41ccbbea6659aa3e4349eb2f509449a418e0000adbfc48d131ab320609ff27f738773f59ab
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD51eff63517430e183b5389ba579ed93e2
SHA15891927b05adc6db5464fb02469c113a975ebbf0
SHA256b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856
SHA5122861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b7183bbf1dcfcda525b065dda4178b75\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5dfde5af568833190a98a50c7daf36f8f
SHA1ae91423ccba3b29be25fe1fc36286ffe02e0b908
SHA2562aba01ad9186b203f6d4a8263785d10c996feb6f10edd3ca6c4a3a78a503e667
SHA51255f41d4f8acc42fe9d24d529427ee54cb3711a931ca9a9143bda7018d02c37a6825f223f4681663208e2d6d82b8d05465869d50b5a774f5e4e234ecbca39fd48
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
2.0MB
MD557c1a44b8bfd09073cc2a34eb5ae1a60
SHA1d814f5740d6d7cca2e1d2a56804d905a1d9bfe37
SHA256c58acbf6b4552276cce95c0128c5192dcaa87e63b72506355e6121e6000f78a6
SHA5123f19eb7f65891a4bad8b7eda170543ababa84c4f7869e3f3d211063fa3b2ac4b32679981692e2a0b56ad7720a13c236aa9164d3e3ab580c160faabb209502796
-
Filesize
1.2MB
MD5d788127ce0a6212f216a0cdc1e16dd23
SHA138ded1966a211afe96371392108db07b5aea0f1b
SHA256810ac9fc5260ef3160c205446023bb0394c8524390dbae1ec60b3221f7779233
SHA5123449d23ed1aa8036c68da2a0497c6c5ecee6b7617201363a46b9137034e226f1d7355b060bf0da9b06559e4865936f80b1bc0b34859c92460a26291edf516be0
-
Filesize
1.2MB
MD5f4e44fb82c29f65d0542e35fb2d17d78
SHA1d897f7b1c70d9d28fbcabf0c72024b49681c705a
SHA256b27fa13544a84ee28a09d4d5bc729fe7f91694e3d49a3ad1b014d929e9e1d55d
SHA512debafdc7a7a45e1e94520e2f8d82ccefb938e608d1b1c26e1ba655be2301ec14cf30364677d7cf495bc1231f40be7d073cad31933b2d1a55ebcc26171eafecd9
-
Filesize
1.2MB
MD535c3a890e1dba240a9015702f29f5276
SHA1c06f2234aa8263815013ca522724d778926e5d95
SHA25607df3c4fbb73c429896575c9ea07a3003f1c841208ab30ea7919b1cb8fa6e754
SHA5127eda7677fab88745b714b1f383870c04892a3d960b716719c91029530399457ef340c9eba485b5484bda5a51a63307ce969b339043cfb49c388afe35a463d1d1
-
Filesize
1.2MB
MD5496275fcc281f5db4a281e73cbe8c408
SHA136a99528fa569836597eea3ff865af0dca83c5cb
SHA2560349d4a390bb99e962ed92e40cd43f4dfcde41cefcdb78ad1e9c78b23c0268ac
SHA512ee28fe47ff2f95844e376e205e6860868407282cac65cab262284cecf1ed2c0646d9323111758487e38c6f833dac48bd45390af6973491d14ecc2e8aa7cea7aa
-
Filesize
1.3MB
MD5db8975150e8ce7aefcbf43eae4b471c2
SHA1b5554d7b36692e011c420d5a3acf3c4450039bec
SHA2563f92f441b23c6595b93f79caaf4fa31c6b3be9bab42f7488292660181b5a76ce
SHA512bd119c06f5b1ebd267d9a5365e9cbba2c78c9fd770811c1bdcd58c755c3cb61573ee7477a34929fdc48dea268697b12b9addf4df4800a446cca178a8d5ab203d
-
Filesize
1.3MB
MD533bc11125e8d7b46c35aa4fb5e418126
SHA1e94e6d983f615e798c8491cdc3d8ec4b459ca1b6
SHA2562600eee5ce1a5edd8fae5c66841c3bdfe155f69224eb5e22867dd0637b6ca554
SHA512f0d2ca76cd96a2dd1dbf48242727e7ed811a06f22a4951fa8f79d64bdf65b1d43de4069ea4a3aa44084b5745699e48aa3c0fa854489c82b017fe77e9329aa4bc
-
Filesize
1.2MB
MD5fc8f72d349b8189a9307e519609b77f6
SHA1657550ecbb9d55306abdea6f82c264dc9231d6c3
SHA256d8bf8815d5bf93db4906efe18c8f3267219f6964d8b2a11ecdc1d35d1a2a3873
SHA5127c5757dd2a7fa0d667be27628a1c09bd0542ffea730fb8fb0ec4bb0ec9c482106187d98bb8cbb2a9df79f083d1b6b8a9ce7c5524f4508c056ec306e4e1ea7857
-
Filesize
1.3MB
MD527d85e308111cfee9cbce93f51792766
SHA12d77a662c5732dc478c42dd9cc0f87a77af1e5e2
SHA256bbc68701cef8ebc3948554bdefbff06c3d7286a08a0a4e440060802afc9ee7b7
SHA5120ac3a340fdbb31caa78006c68c78de9060697f89817040d5adc1a839a260f927a85c4d1740332615f6080f3bce5b6aad7d60447e883c2a2810df91eb17c53d7f
-
Filesize
2.0MB
MD5deb7818eb332d49ed67ab98ad9a79fb5
SHA106c30c4d3333f56cdc36ef1c65c52905fdeb15ec
SHA2564bc047ccf4791373546318fa20d39fc7547688e77876146f057554ce8bb6b533
SHA512395e4908a9fc7f9fa1a995196143207019312438be631e2dc29df5cede451316776b86c53910ec82ec6f4d7701be7bef6a77c5a5dd506638d338a7be9ec32c1f
-
Filesize
1.2MB
MD5316d067218b5808773b3a2ed873791ae
SHA1b4d7109741a74b2265b08829f5e2e7e65dbacad9
SHA25619370e3211751120f8b7579ed8659ea92fa6ada08635621ff580d6dd5627064a
SHA512e61f9294f254ffaf0f5abeb1857df4da7cc1acd1e8fee1bdc9a5aaa331d0f05a2296df619f35977c5f6f7c40f8ccd8c60272a65cfa907781a2165cda04f0a503
-
Filesize
1.3MB
MD589d52a64021fae6bb4a337123ccc0623
SHA1b1b3191b96e4b79d961e65b33031f89cda79f816
SHA256d8de66c325c44d6e37cc219e7e5294c29c7e59cfbf8db60c909296dd34d96422
SHA512070b0cb461742e941d3ed39ec7c939cc9c32343ca272b5e04dd7612885ac6e40c252d84f5fa7f842aa9239ec9cdcf4582f42b622fa45ca3e1081771ecb6098d2