80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
Size

1.8MB
MD5

239296dc012bfca44101d67a1768fb11
SHA1

3cced1b37a4e9c4c7fd5fd5b6a7dead780cf3264
SHA256

80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64
SHA512

2a5f57c2ba67edbdb591d00ec5bd70516aafb52ef0ecae8393a615ae363c7a0169e46161548de208d76a23e4bb1deba153eeb082ef04372f7b48a76c15dd9538
SSDEEP

49152:rKJ0WR7AFPyyiSruXKpk3WFDL9zxnSAGDgSGVJFLNXwA:rKlBAFPydSS6W6X9lnWrGVJXgA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2200	alg.exe
3004	aspnet_state.exe
1412	mscorsvw.exe
2768	mscorsvw.exe
1536	mscorsvw.exe
2776	mscorsvw.exe
1400	ehRecvr.exe
2332	ehsched.exe
1192	elevation_service.exe
2444	IEEtwCollector.exe
2760	dllhost.exe
2512	maintenanceservice.exe
1488	OSE.EXE
2892	OSPPSVC.EXE
1260	mscorsvw.exe
2784	mscorsvw.exe
2744	mscorsvw.exe
2532	mscorsvw.exe
2840	mscorsvw.exe
2280	mscorsvw.exe
1744	mscorsvw.exe
1768	mscorsvw.exe
1260	mscorsvw.exe
1732	mscorsvw.exe
2512	mscorsvw.exe
2856	mscorsvw.exe
1820	mscorsvw.exe
1984	mscorsvw.exe
2720	mscorsvw.exe
1560	mscorsvw.exe
2624	mscorsvw.exe
1568	mscorsvw.exe
2804	mscorsvw.exe
2560	mscorsvw.exe
3012	mscorsvw.exe
656	mscorsvw.exe
1104	mscorsvw.exe
2456	mscorsvw.exe
1048	mscorsvw.exe
1180	mscorsvw.exe
2004	mscorsvw.exe
1408	mscorsvw.exe
880	mscorsvw.exe
3048	mscorsvw.exe
3056	mscorsvw.exe
2708	mscorsvw.exe
1400	mscorsvw.exe
1928	mscorsvw.exe
2380	mscorsvw.exe
1088	mscorsvw.exe
1988	mscorsvw.exe
2740	mscorsvw.exe
2396	mscorsvw.exe
1820	mscorsvw.exe
1816	mscorsvw.exe
3020	mscorsvw.exe
2572	mscorsvw.exe
2672	mscorsvw.exe
548	mscorsvw.exe
2408	mscorsvw.exe
3024	mscorsvw.exe
932	mscorsvw.exe
2528	mscorsvw.exe

Loads dropped DLL 42 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
3048	mscorsvw.exe
3048	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
1088	mscorsvw.exe
1088	mscorsvw.exe
2740	mscorsvw.exe
2740	mscorsvw.exe
1820	mscorsvw.exe
1820	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
2672	mscorsvw.exe
2672	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
740	mscorsvw.exe
740	mscorsvw.exe
3064	mscorsvw.exe
3064	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
2672	mscorsvw.exe
2672	mscorsvw.exe
1448	mscorsvw.exe
1448	mscorsvw.exe
2528	mscorsvw.exe
2528	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
1960	mscorsvw.exe
1960	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\659f03383db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\GoogleUpdateCore.exe	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_nl.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_fr.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_pt-PT.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_vi.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_sk.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_ml.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_th.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_ta.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_ro.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_sw.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6CF6.tmp\goopdateres_fil.dll	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP587C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP673B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP50BF.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6AD4.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A869A23D-361F-4F7C-8B79-073D27AD7D51}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4CAA.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8FD1.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D3F.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1204	80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: 33	1504	EhTray.exe
Token: SeIncBasePriorityPrivilege	1504	EhTray.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeDebugPrivilege	1804	ehRec.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: 33	1504	EhTray.exe
Token: SeIncBasePriorityPrivilege	1504	EhTray.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeDebugPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1536	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1504	EhTray.exe
1504	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1504	EhTray.exe
1504	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	44
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	44
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	44
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	44
PID 1536 wrote to memory of 2784	1536	mscorsvw.exe	45
PID 1536 wrote to memory of 2784	1536	mscorsvw.exe	45
PID 1536 wrote to memory of 2784	1536	mscorsvw.exe	45
PID 1536 wrote to memory of 2784	1536	mscorsvw.exe	45
PID 1536 wrote to memory of 2744	1536	mscorsvw.exe	46
PID 1536 wrote to memory of 2744	1536	mscorsvw.exe	46
PID 1536 wrote to memory of 2744	1536	mscorsvw.exe	46
PID 1536 wrote to memory of 2744	1536	mscorsvw.exe	46
PID 1536 wrote to memory of 2532	1536	mscorsvw.exe	47
PID 1536 wrote to memory of 2532	1536	mscorsvw.exe	47
PID 1536 wrote to memory of 2532	1536	mscorsvw.exe	47
PID 1536 wrote to memory of 2532	1536	mscorsvw.exe	47
PID 1536 wrote to memory of 2840	1536	mscorsvw.exe	48
PID 1536 wrote to memory of 2840	1536	mscorsvw.exe	48
PID 1536 wrote to memory of 2840	1536	mscorsvw.exe	48
PID 1536 wrote to memory of 2840	1536	mscorsvw.exe	48
PID 1536 wrote to memory of 2280	1536	mscorsvw.exe	49
PID 1536 wrote to memory of 2280	1536	mscorsvw.exe	49
PID 1536 wrote to memory of 2280	1536	mscorsvw.exe	49
PID 1536 wrote to memory of 2280	1536	mscorsvw.exe	49
PID 1536 wrote to memory of 1744	1536	mscorsvw.exe	50
PID 1536 wrote to memory of 1744	1536	mscorsvw.exe	50
PID 1536 wrote to memory of 1744	1536	mscorsvw.exe	50
PID 1536 wrote to memory of 1744	1536	mscorsvw.exe	50
PID 1536 wrote to memory of 1768	1536	mscorsvw.exe	51
PID 1536 wrote to memory of 1768	1536	mscorsvw.exe	51
PID 1536 wrote to memory of 1768	1536	mscorsvw.exe	51
PID 1536 wrote to memory of 1768	1536	mscorsvw.exe	51
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	52
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	52
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	52
PID 1536 wrote to memory of 1260	1536	mscorsvw.exe	52
PID 1536 wrote to memory of 1732	1536	mscorsvw.exe	54
PID 1536 wrote to memory of 1732	1536	mscorsvw.exe	54
PID 1536 wrote to memory of 1732	1536	mscorsvw.exe	54
PID 1536 wrote to memory of 1732	1536	mscorsvw.exe	54
PID 1536 wrote to memory of 2512	1536	mscorsvw.exe	56
PID 1536 wrote to memory of 2512	1536	mscorsvw.exe	56
PID 1536 wrote to memory of 2512	1536	mscorsvw.exe	56
PID 1536 wrote to memory of 2512	1536	mscorsvw.exe	56
PID 1536 wrote to memory of 2856	1536	mscorsvw.exe	57
PID 1536 wrote to memory of 2856	1536	mscorsvw.exe	57
PID 1536 wrote to memory of 2856	1536	mscorsvw.exe	57
PID 1536 wrote to memory of 2856	1536	mscorsvw.exe	57
PID 1536 wrote to memory of 1820	1536	mscorsvw.exe	58
PID 1536 wrote to memory of 1820	1536	mscorsvw.exe	58
PID 1536 wrote to memory of 1820	1536	mscorsvw.exe	58
PID 1536 wrote to memory of 1820	1536	mscorsvw.exe	58
PID 1536 wrote to memory of 1984	1536	mscorsvw.exe	59
PID 1536 wrote to memory of 1984	1536	mscorsvw.exe	59
PID 1536 wrote to memory of 1984	1536	mscorsvw.exe	59
PID 1536 wrote to memory of 1984	1536	mscorsvw.exe	59
PID 1536 wrote to memory of 2720	1536	mscorsvw.exe	60
PID 1536 wrote to memory of 2720	1536	mscorsvw.exe	60
PID 1536 wrote to memory of 2720	1536	mscorsvw.exe	60
PID 1536 wrote to memory of 2720	1536	mscorsvw.exe	60
PID 1536 wrote to memory of 1560	1536	mscorsvw.exe	61
PID 1536 wrote to memory of 1560	1536	mscorsvw.exe	61
PID 1536 wrote to memory of 1560	1536	mscorsvw.exe	61
PID 1536 wrote to memory of 1560	1536	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe
"C:\Users\Admin\AppData\Local\Temp\80832cfbfc35038e53774a80206a57ac4cce3c7bfdce9bef154cf0eb6eca5d64.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 23c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 274 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 1d8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 28c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 250 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 290 -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 27c -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2cc -NGENProcess 1f0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 244 -NGENProcess 2d4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2d4 -NGENProcess 250 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 2dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2bc -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 2f0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2e0 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d4 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f4 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e8 -NGENProcess 308 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 30c -NGENProcess 310 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f0 -NGENProcess 314 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 314 -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 320 -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2f0 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 328 -NGENProcess 2f8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2f0 -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 30c -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 334 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f8 -NGENProcess 2d4 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f8 -NGENProcess 2c4 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 338 -NGENProcess 2f0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2f0 -NGENProcess 33c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 304 -NGENProcess 340 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 340 -NGENProcess 2f8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 120 -NGENProcess 348 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 324 -NGENProcess 348 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 32c -NGENProcess 34c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 2f8 -NGENProcess 354 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d4 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 350 -NGENProcess 35c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 32c -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 34c -NGENProcess 364 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 35c -NGENProcess 368 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 348 -NGENProcess 120 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 36c -NGENProcess 370 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 36c -NGENProcess 2d4 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 360 -NGENProcess 378 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 378 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 370 -NGENProcess 380 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 370 -NGENProcess 368 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 388 -NGENProcess 380 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 348 -NGENProcess 390 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 378 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 32c -NGENProcess 390 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 398 -NGENProcess 348 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a0 -NGENProcess 398 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 32c -NGENProcess 388 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 378 -NGENProcess 3a4 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 164 -NGENProcess 168 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1400

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2512

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
319cc515118356b307b3fe9c064a78e9

SHA1
68391ec6a1fbb045472551d04cb824ec7a17929b

SHA256
8b627a5831cdbb0a0178bbee6cb0ca52b0fc641dd303dc14ea5e160f182f5e1b

SHA512
444beb861f344b2efdc64bfeb1a2fb78b8fc435f53584d0cd3d075bf7b264d67249ee0a7089cadd01f7be34c94873fb0af8741777362c723d378b05a81c93bf9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
a564e4e04d639ecd0bbb5df9f5207b68

SHA1
05ef15419225bc7bb50c7e806cc51a9a8d3b8e90

SHA256
ecf88ea28a9bd9a1854b52c8f72be1f9e49e62fc6509951d6ba5dfd31c99b943

SHA512
03d418aa84953ca5ac54f63b0f4be655a3e85b3c1bc83ac5d48c5d9451a9e27045b4f05f093fb18489d813b18341f501115fac75376f6300c1ee8aecaac274d9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
ae5ac780fbbf47b0dddf4b498e7cc6a4

SHA1
145bcd847f6e5a8908dc5b8d5ecd73125c02c948

SHA256
fd77d8d05f59209143eeb95330afb8f2812bacf16c1a908a208f5e8c88851ff9

SHA512
b8ec241a49334d21e449eba0230589d9eb113e45612953f0965afc1d4b5d58fce7192562e945b69ad13cb0e8dca87fb4cf0fb3c9a9f59c36e6023d154247c849

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
a79ff3fab8c15168f7bd2daebdbeb3e1

SHA1
c7aed062bbb6c79299c1553ae33b9dbec4c24a07

SHA256
e4e66bea77c1ec094809bf7019c400eaa9f4348fb860c54c01c68658c869b075

SHA512
fc75a792765a99343abfdeb9ff1dcf953ba3252578b8e7f5479cf4e876e22a6c851b2222ca25c36ff2541acd1ecfe8f9e675a3693e0eb4e90cf7699d97177482

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ab127f18ccc61e51d700cfd15301e172

SHA1
c69e94183874a6cb9b7a661146bef8baedfded47

SHA256
c02bb5087446fee7e6e6b22b75adbc407c3033d83de008364dcb56dac64e0f3e

SHA512
84f81568737e14d90b87c44553d393266da6edd1ffee51074126637bc0384c4ca2982f7a827a1a330f54c06534e2b1f4098f0df3d2efb74af7fb6b80dca6f8f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
11.2MB

MD5
cc635f3e2779479c505f425d95c9ec7e

SHA1
0a79fedf767b70ec6a723dbb0b6019cf1d76d4cd

SHA256
0f5ed750b4605880822b93af3adbcc59500fbaa615ca4458ec723d97b4e57f78

SHA512
9f7a88eab0dfe6660f80024c5676cb7a63255a05b01aaf886a4fa6ffdea3d7994beb993c84be3a609305531864a97db363cc09f5fef5da4300fdc2dc5f991a2d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
4f3d76de99c43f0ce17082b1de073132

SHA1
8aa23fe64ee5c38a5d9d287479f27886605dcaa0

SHA256
1e0a0f0ffbf0e5189c41fb3e146906c8bce469c28d91a34edfe281c91153a001

SHA512
00f56dc657fc9f69eccb298b66d3a881ad6c53b225f99a7432fdcfba81c80127504679a79299259574ab2ba20ea4a43bdca52ea04631024b848ebdaebbcc9b15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
93eb5ab6ee6e304253f1525912a638d5

SHA1
a781ba4571c1f8aaf5efd9d7f214d8a40ebc87e5

SHA256
56022d2bd723640b72fbc27f5dac545161588eabed4a2337b1a3fba085705abc

SHA512
6fe7110163483a9ce77ea979733def28c276fc781f96dacd4648b1eb6876475b5a80385f2dd2ad510f3e3678ace0378e793b83b2c27c62019fc52bb1c668e3da

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1253be54ba4b3e8dbe1e74f8c09ab771

SHA1
40cd5e30985f96923039668c4261bf4001df4f35

SHA256
80d3de1ff881d738a5f34af87e413ec78259c30d16ef738a016cb55d6fed9781

SHA512
b1eb5c023c6259aa92ea3a183bde9c27de77cd178530253367a4078d8b81f3f18f720e14f5fb3c712af0955bb78c11d5b012c2f89accce0bb72f2e65361980cd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
92e2fcde7c393d49b3eec9f8daf17ce6

SHA1
2445a8ef4865f2059e3a04efd365c8f52f04f26d

SHA256
0f7f64d128ca4cf956173db13e21c87c41c827c6e52cfea32304c6f8b10e0a89

SHA512
f090905f06ad315449f684a508ff034ccdea087e767d5ee0d66c9ce019fc4990b1fdbe8386bc3910fa3ca882f51f6770b60ba445ff4e98b9fcc093daa445e1f0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dbb7e3c88b89e4f2c7f0e825d8336c37

SHA1
73d598f6d640b78af1f1a89571333a90124d88d1

SHA256
596e529c4c30300ca75951f43570ba455fe64e8f0ffc3ab89798b72d3716f6f0

SHA512
bf1518c986bf6eafd0e0f93d48ae15319320c8c21e152aefbffac48ce793812a9c097513c08961d01352f1e0f3d099598e110b9e380d0386652deec1fd1a0407

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c3e9d97de510fbc88aabd33d21c527f7

SHA1
c837e5d6a4aa8d45e4c526ec2e855e4423d28be2

SHA256
7acd9f1c4de0306d0c5a99601e29ee4290d436df557e86c41bb609f4e3b123ea

SHA512
69939e4ddf98352ec8bc4ad7deb887d0c79c631169f9cc37ecb1feb0661a734ea573e819108325965013f69d68f013ecf28169243ac7621a1207f5a9a8e5e484

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0ccf43b7c2d0bb1c84a6d82c87717bf3

SHA1
55d3fa96e698fe9dad62c3f4d2cf8e389272bf84

SHA256
367061a0146ab4667cbb835a70ffccd5b39cdaecc0913bf58dd8d2e194e439cc

SHA512
c663208a7752fef54c1f33184ec07790933f4a43175b3763f90fb7906ab40ea11da9d6d925f87f156d27eb060a6ac2ce370a4895dfb9fbd97b95ca52e0f4334f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
942b5a3c377c3ad56c8be6b972d16f83

SHA1
8f397986b1d0cddb183ae9162ed7889f6c7777e4

SHA256
ed02ff8e0660d4f165fd1dd831c6568d0848bf5b84cce6d1afd5485d805ced43

SHA512
b2ed9701077e3dec033b0c0211a5a49bf12b11b615935dd431311e7dba7a63ff1f3f8933980fe469640469846ddec2541520f41497b19d4c3189130bae59bb09

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
725cfaa749853bdad9c9ae1abd55bcb3

SHA1
ccfec7726c0a7ff68add661fb0e8d11d02e85d0d

SHA256
46aa8e07c1011502c114de31c277357e1f18eadfb7a55329c406f9366bd13dcf

SHA512
4d82aad7bc746b6f4150df710178da4aba554178b07b3b9fbd60c617a30b41d836f3ed4790649553126e8c9117b41a3d3d5b7c6d72c4ecb01680f5fc50f3e195

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a472b6cb3a3d82a9262ac7381c466580

SHA1
45fa40ecd27074118f3d82262c02e7f844f780b9

SHA256
485710854e74eb45ba09484489e95eed56947eb6c5a658668bf49d1f2e00de3d

SHA512
2b78df6c6c9ec54b55447c48e7501dceaf0169166830507df085cd675e9f251daf9c23af7258a8bfb104891d5ab89e83d6ccf413ee0ddbf3eff75de3e709a0b7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
968545f62613d0b1e33208e737895861

SHA1
d7b32378389e2dc6d3946eed713e9b736b1084e4

SHA256
d28c8298008c72c88078d4165108e7511ab06e1a5e4b4ebc8e87dc1c1981b29d

SHA512
d3f6cf8095a672148157863e317c9a79c4219eac11d111d5fa3b9b2350f1e17951ac1a57d7d9c9c35b32bb513defc42b9ebfe72a1c5caa1d73475df76a9d32d4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
51080e72ba2d6f13977b32d078b7f481

SHA1
e6d7a37ec1899ed0c3605f9df373a8dd0abecf59

SHA256
138b578463a3b2dc7637967940bc6358afb3e278ad632fbaa32d2fdc95fdfd15

SHA512
4606271c25c67f0426debd56fad67a99a254cbc4878ab472aa94c6ecc142b0013018744b85496ff1ae217b6f33de57523ad68456518b384555234e3d57d627c6

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
6391ba86627df73067dff8189c454c8d

SHA1
f49230f6f8c81ca9a914a1643f8431f1e0704bb6

SHA256
6f139cdd77ec2597aca7c5c5e652b061342d630d19589276b05f1d02b15f11e6

SHA512
fa6c7d467f4af4df8285e691d6d7bf0f5a52164f394301af58333664130759d9d50b56120ce5d8c341861275bd461bee05de7679c4440e75d1082fa4e21bc6e3

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
d6c13064c85db92ccc976801e5d27c96

SHA1
f17faa8dae76c2d91b75e20196b7ba731183b561

SHA256
6029841c75a511998438461021b8a75d55bbfd870ac60d1866e474329bbfd38a

SHA512
cc7891f13883e3441021e742a63c0f5ec33a97519b3075e8031b4ef53d07087ba8bb6064a42ecacd85bc663501629a9db2283d502e3c44c05c140d97dc2f2a17

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\096228fb18d613c5235754e69fa116a6\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
885809d459ba88eabd57bc99a270de28

SHA1
f01668256c1ce50f4fe375273bcd5a52ac1d8d5e

SHA256
5ac82ae0418826978bf4fdddb511d84ef4d0bace4460b6aed5eb08b9ba70bfd1

SHA512
2247161cfbecc76f1fd52d62f93a02fc12a151670e8240a052e3e5cccda494759608edc2c9d32d984bda06a3138cb02bd5f8645d7ef9bcfaae36ce50256fd268

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a1e2d89d60b3d1b9dad51ccf7ab26383\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
d859387531516d23faacb27310dd978c

SHA1
9dcc957d80fc0616c1b76cb7d06e44fe13a368b0

SHA256
27994530f55de0399172a4b0a1c1708d7f1879d870a0e496db6a8768cf331c47

SHA512
ceee388fc7b2e3be889a45ccbda469679550c0cb3ec26f20c972a1fda4494606ed1e5a9460ac8356ab7d4c3bb71d13a38be56fe838af10ebaed63b611f7ae78e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ecc91e0a55de12a6b590a3e4d8dc9b0a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
9eebaca27f1106aca4884df0ed1de563

SHA1
09aacb67a1e29946665b9cb04c2ebd9cd94a05eb

SHA256
63fd039345cf7fdba01445078056de0a1356f7ca1180c67e433d9e58cd0492d9

SHA512
32dfee63e9badd8c5088a5c8010ce3992531d6fc6bd2c8f8d5fb19e35bb3be75dba22e754f3bf88253097b14504dd246dc906656e5e5d9b8454b4cecb5cbe7a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
9755afac7736d6770ac73531c6df1dd9

SHA1
9665a74b852dddc076495a7bb6150fd58633f6c3

SHA256
46aab4cee16b74e7056cb1fc48079b455f7917e61b6b4420b7ce3ffe07c718cc

SHA512
403cee6bff9bc7bafba913bdd9d94d4503554af9d54e2cfbf307e043e2b98a5eac4e7dc478d5ec7295254d5d5cdf29c94c5d6ab8be38165cc693371c8bf4d4a1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
27b416489bd79f8ea656225a9566c4e6

SHA1
9e0b8e75831bcb97bfeb9e28e8851713a8e9fd6b

SHA256
cc1729de5f7b8f427650a6e8712cde257cd83f01ebb860140434e601755bf241

SHA512
f4833286adcb26359b932ce51b55eca07a713a23c716a267a04cc24c91ea8d45ee62ea4f134526cdc8191df078b765b0f023d54de2e665e72114960acf5cef1b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
77c36ca2f2d8cbfeacae741c6b91305d

SHA1
385ec39174dfef7308fc296cc5e7ebf10f6ca318

SHA256
caf766666ce06e4bf7a05ecc3da18ea5a8834a2e25a8cd761f9e9062aa84b557

SHA512
dc33ff92ac7169a02a095853da4a53a35e2c09254ca64910ccf72a229031951412327918c2c49a21472aff070cec50046c5295e369bca281ff3900f4dbc0b101

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
1ff29ab9453bf2f0f2b70f8d3bca34fd

SHA1
1736cbcd6e8c89df4b810ddab530c72b4dd6bba0

SHA256
ddb910fe5c458a69a00ef57155c6fd3530d8f66db800959a2f3a2e322e301476

SHA512
53da821c0b8df0937e535a6f33feffb728879014b845b4953ed3dbb5250c6cc0c4f48754cf65e0ef5a53fb68afae5f0581743ca604e47bcec92bc7bda217f298

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
99574892c4852323787620d7678dd1a4

SHA1
39ed2987a9445a6a4bb23a9e562ee300275a22cd

SHA256
ada7c829a2dba3ce2676d5f9fe60e7260fa8b95be96abe8a1915b3bbace28f19

SHA512
1ca968e33e447ba83434b798e0d5945288014c633430f82090c043035ecf90ac916c543207b5a1a07008b5c268f9daa5d5354005311473f6b6e613cf283d1014

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
c9058af8a96fe77ed60f1fdb5a82837d

SHA1
7d395479dde92e55efd438e92696a3cfd43010a9

SHA256
08c08f225233c78a24f82c2788911ee743dcd31f3797507832f146bac5cb5ba4

SHA512
795a027a9230b4a2b71cc85810c18fe57e4bcd057c7a1b847cd6422ef7156a6c4208c70b89b91bcd9ba7858824ddceec85b60b3287a37928db3c2ef14adb59b8

Download Submit
memory/1192-186-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1192-180-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1192-179-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1192-326-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1204-138-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1204-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1204-273-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1204-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1204-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1260-357-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1260-438-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1260-442-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1260-377-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1260-348-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1400-176-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1400-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-287-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1400-177-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1400-150-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1400-174-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1400-318-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1400-157-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1412-136-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1412-103-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1412-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1412-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1488-312-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1488-408-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1536-189-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1536-126-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1536-121-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1536-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1804-275-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1804-355-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-384-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1804-343-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1804-341-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-330-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1804-274-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-463-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1804-469-0x000007FEF4AD0000-0x000007FEF546D000-memory.dmp

Filesize
9.6MB

Download
memory/2200-18-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2200-13-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2200-36-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2200-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2332-170-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2332-164-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2332-163-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2332-303-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2444-192-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2444-198-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2444-276-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2512-309-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2512-295-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2512-304-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2512-310-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2532-531-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-488-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-486-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2532-479-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2744-470-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2744-472-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-289-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/2760-281-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2760-360-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2768-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2768-147-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2776-139-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2784-435-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2784-457-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-473-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-474-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2840-529-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2892-328-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2892-475-0x00000000746D8000-0x00000000746ED000-memory.dmp

Filesize
84KB

Download
memory/2892-321-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2892-431-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2892-331-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2892-363-0x00000000746D8000-0x00000000746ED000-memory.dmp

Filesize
84KB

Download
memory/3004-172-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3004-86-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download