7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
Size

1.8MB
MD5

4fdaa70a602285954aa42e534adaa613
SHA1

b43fb5f67af35e6d6e36c20eca0da7b8483b92c9
SHA256

7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec
SHA512

8c6b47ee967cc38ee0ddda7f0f0d4053e6a87e6033eb85093298abc516694d11c06abdec81a46621f7411bc3bbdc8436d760791cfb53ec7518dc3ab0900dcc9a
SSDEEP

49152:Qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAmaB0zj0yjoB2:QvbjVkjjCAzJAB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 61 IoCs

pid	Process
468	Process not Found
2720	alg.exe
760	aspnet_state.exe
2820	mscorsvw.exe
2400	mscorsvw.exe
1740	mscorsvw.exe
1600	mscorsvw.exe
2344	dllhost.exe
2132	elevation_service.exe
2104	GROOVE.EXE
1688	maintenanceservice.exe
2708	mscorsvw.exe
1880	OSE.EXE
1008	mscorsvw.exe
1896	mscorsvw.exe
2164	OSPPSVC.EXE
2336	mscorsvw.exe
932	mscorsvw.exe
2880	mscorsvw.exe
1440	mscorsvw.exe
1376	mscorsvw.exe
2444	mscorsvw.exe
2500	mscorsvw.exe
2780	mscorsvw.exe
2752	mscorsvw.exe
1572	mscorsvw.exe
2700	mscorsvw.exe
1968	mscorsvw.exe
2036	mscorsvw.exe
1052	mscorsvw.exe
1116	mscorsvw.exe
2440	mscorsvw.exe
2300	mscorsvw.exe
1912	mscorsvw.exe
2832	mscorsvw.exe
2224	mscorsvw.exe
2288	mscorsvw.exe
2244	mscorsvw.exe
2848	mscorsvw.exe
2852	mscorsvw.exe
1756	mscorsvw.exe
1500	mscorsvw.exe
2984	mscorsvw.exe
2800	mscorsvw.exe
2540	mscorsvw.exe
1520	mscorsvw.exe
2356	mscorsvw.exe
1708	mscorsvw.exe
2860	mscorsvw.exe
2892	mscorsvw.exe
2044	mscorsvw.exe
3004	mscorsvw.exe
1500	mscorsvw.exe
292	mscorsvw.exe
2680	mscorsvw.exe
2628	mscorsvw.exe
3048	mscorsvw.exe
460	mscorsvw.exe
2188	mscorsvw.exe
2304	mscorsvw.exe
2660	mscorsvw.exe

Loads dropped DLL 22 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
2984	mscorsvw.exe
2984	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
2356	mscorsvw.exe
2356	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
1500	mscorsvw.exe
1500	mscorsvw.exe
2680	mscorsvw.exe
2680	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
2660	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bda773b13db14c9a.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\GoogleUpdateComRegisterShell64.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_ms.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_th.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_zh-TW.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_bn.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_sl.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_ml.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_sw.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_cs.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_sr.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_en-GB.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_am.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_no.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_da.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6A95.tmp\goopdateres_en.dll	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB27D.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9627.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3CE.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9DFB729B-4817-4254-84E0-B671E1A777CA}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP90DA.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD30.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9AE8.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9DFB729B-4817-4254-84E0-B671E1A777CA}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8A65.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2752	7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeDebugPrivilege	2720	alg.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeDebugPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2708	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 2708	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 2708	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 2708	1740	mscorsvw.exe	38
PID 1740 wrote to memory of 1008	1740	mscorsvw.exe	41
PID 1740 wrote to memory of 1008	1740	mscorsvw.exe	41
PID 1740 wrote to memory of 1008	1740	mscorsvw.exe	41
PID 1740 wrote to memory of 1008	1740	mscorsvw.exe	41
PID 1740 wrote to memory of 1896	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1896	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1896	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 1896	1740	mscorsvw.exe	43
PID 1740 wrote to memory of 2336	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2336	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2336	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2336	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 932	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 932	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 932	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 932	1740	mscorsvw.exe	47
PID 1740 wrote to memory of 2880	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2880	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2880	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 2880	1740	mscorsvw.exe	48
PID 1740 wrote to memory of 1440	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 1440	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 1440	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 1440	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 1376	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 1376	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 1376	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 1376	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 2444	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2444	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2444	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2444	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2500	1740	mscorsvw.exe	52
PID 1740 wrote to memory of 2500	1740	mscorsvw.exe	52
PID 1740 wrote to memory of 2500	1740	mscorsvw.exe	52
PID 1740 wrote to memory of 2500	1740	mscorsvw.exe	52
PID 1740 wrote to memory of 2780	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2780	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2780	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2780	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2752	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2752	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2752	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2752	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 1572	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 1572	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 1572	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 1572	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 2700	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 2700	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 2700	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 2700	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 1968	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 1968	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 1968	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 1968	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 2036	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2036	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2036	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2036	1740	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe
"C:\Users\Admin\AppData\Local\Temp\7b5a8ef2677926f60e3304b86b62c92f2d549d37e2f03226e0ac154f61eee0ec.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2820

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d8 -NGENProcess 25c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 1ec -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 23c -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1dc -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 28c -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 294 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 298 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 274 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 298 -NGENProcess 2ac -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 288 -NGENProcess 29c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 2a8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 258 -NGENProcess 1d4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1c8 -NGENProcess 2d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 294 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2b4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e4 -NGENProcess 2b4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c0 -NGENProcess 2ec -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2b4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f0 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b4 -NGENProcess 304 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2b4 -NGENProcess 2d8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e4 -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 318 -NGENProcess 2b4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2e4 -NGENProcess 320 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e4 -NGENProcess 31c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2cc -NGENProcess 324 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 31c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 248 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Modifies data under HKEY_USERS
PID:2928

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1880

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
3f011fc3c2d18b095129e2ab9dabdddf

SHA1
de2dd593b0902db2bef0a54c92e2a95ea85c2764

SHA256
2d59f209df906d3cfa786f4a502ea63a4973839ec13bbe4b1303490b52b762d2

SHA512
297389d6945ccaee5cb53e30e23919b6ab4279ed3931b52357bd1c3083c8c974be5e85e07bcc85a4edf575be3cd3744dc041c1fbc2a6036d53ca5b064ed95c25

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
c472ecb46add725f18f281d9ab200bca

SHA1
0df35cc31f6ed5ffd04afb516c4e019bb1cd4eb7

SHA256
256ad3fecf0cdaff4eae95d94f099244720b216e380929faa244fcff3be9e205

SHA512
cfab8249844c39a17d0ef0fd3ea34b0e3776a8d2f55518e446eaf748ac3ae387c05ecb0a2915c77ddeb1372bbab71f0706ab6cf6a4325dd32cfcc24f8e301df2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2ae658a2daa42ff1334e01e65c2083ed

SHA1
ab46f051752da27c090be391e8079ebca823d295

SHA256
fc1efe5b29844cdb2ea8b0ca2abd61bc21127a120079b0145d07a2aa775d27b3

SHA512
9175ad4ab099d077ddb5082626c6f1a028903172fa3e9bf7bb1f9be111c1f0971dc29be7512af8ad941ea0ce7d1eeece2621bb34a4409e943c3b89124c0b50d0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
a85b91fe0f48a4256a0aa881a725dc5c

SHA1
f5dd5ca7f50817154d13831a6220d71553236570

SHA256
43347d3c0cf2e28d979e509c8e2450a8a502ee8c225440d2eb979da4a8437d0c

SHA512
fd6809b5ed92b5b64d2368c73e79bcf087f5c6a6443970b682d61772e5498b720c30678aae41c727711c61a4332b558ae9044405e0f120ad098e6a8e88285c6d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
128KB

MD5
705998da14e47d4802b7b38663775f9c

SHA1
80552d75dab8f40a5e20394735e6b6c242906ed9

SHA256
03e5dcc0888639d00b1b8460bf50e08e60f403b968c9d79770e656570f3a54f8

SHA512
1756aeff4642ca6580622a43f979c00ca399278370c55314f35c6f0f52d594a7f874c5addce690a83092dc92a34a03574d2557382ac9dd1480bf06f55c3c416f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
12.8MB

MD5
48da36aeeab10120eb3a586223549db8

SHA1
d142dd1afb9e9f1c6ab321a481ff89389c22fb68

SHA256
195ff77e53f5994fe39800773d8d240fd032fa2e56f371024dc7725c85e694ae

SHA512
b3a49c5a6fb0e0c0cff34443a5694481a8512b7d3a675ea505dcf8dc538dc220545b947707818f7c3dd8356d1db5a5b7cf17600db6d11d127f8a85b0d93e1c73

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
62b0bb93090ad03d555c06b022142bb8

SHA1
c46141b8a5907cd3796d96062b4c7d105ed9b09c

SHA256
8e246b12e6660abde5320cb1ec232255d39048c2cb1159a5f1b0e2489e81e33d

SHA512
4d1ac627eddb3b8806d485f59a528397ee7ec97a1468cc4f77723145054ed0e0ca8689a1c031630e0beccfae9bc03dfe45d6597d10dd9b44d1b14fba68abf044

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8a5e203ecc98283a1ca5767e248ec364

SHA1
e5220e727a28df6716de9c45b7f313485d4de906

SHA256
e6267925e50beac82172fbb39fcffb86b2619dd76e2d2d9cc658a88709adf686

SHA512
bb031653dc2008489a19a7fa673a90726e2c8b6af628295a6068fbd02a40e4e144f70caffdc319608f85bfba4a49b4d751abb48a5235f80ba84cf3e05041dd97

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a9fe191930347dadbde4e163d7b44a54

SHA1
660645e2490e998c803e08c49a3e5b01d106253d

SHA256
978a82a326e189c7d35a8aedb91e7c0989ee159ca523fa48f11b0fcd21ea6ef1

SHA512
ac63070b1ae9572ca7d0c3b1db2f555680fdee15bcfb917e1785fd7c71aaecb1f0c738e6c139949fba100fa6f4963146ac29645df937cd5bdb0991ad79aa95f2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
be75cc60ef79260aae491bcf86e879e3

SHA1
b5f3c0dc81bef7d8dfcc61d182ac58ed009a4b48

SHA256
97482b81bd2fbff03848dc3c48dd349b3b3be86abe212ea3e26e167c48a90d28

SHA512
9895d90a44f3a8163462de9103186303498dc3fd77b712442ac591a6d87eb3d8e47d2fab98f256dffdee0747a4f623c0055f0cc89a45c4a8d7c9f3508886439e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
03f8954d61e2d14def5aa8bd5f592e53

SHA1
0ea796663fde198e0c02033df76c691954804031

SHA256
4bce35a6d4175d798490c40fa018a53177eff36251c1f0dc93d1a9c80eceb082

SHA512
2bb10f0dca246b31fb83b6891f1be113c2167a5eceadf7ffabc29da14f3c6a11ffd69d46cb90ae6b569685dcea4e8c2a9a1e71c5324b176e68a3be513f30dbb9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
64KB

MD5
80051d27bc21b51c64f414e7f69a8bfb

SHA1
ae8ad9961db38d44178256e2f969578a03eac237

SHA256
a58cb2c56834225324597937dbbfdde3bd794d2f3ff3721f082c0f418ee141a1

SHA512
624ff43f7a825908174330e09926c3c554456cc4df295da7e0c71a1fc57026e5f67a1c26b967d389e514d2505e29321d0b654bee867bb578e7ec961a138cd7d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a46c3dc160302b3527ad32ebbafc337e

SHA1
796ca45e965c93008496cbea0411a3caae17a1a3

SHA256
16e510d6f4a88b817cca5742671802a35be2357aac3a4c0f821a32da53098864

SHA512
92f3293a9682539723273285e370ea91385641918e970ec4225c8a6dc2c9f81ee483ec0214cd08295ef39e1222096bbf970c24e489f4ce6c113ba40eb84fadf7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
99061cf0389ce5f769b9e247986a0fd1

SHA1
c1a92b8f03a58022a063a4b7aaa0fbc51d703696

SHA256
a91890415ef706d7c024741e60e1a4a45ce2c09ca0328a7b5e998f444a13cfe6

SHA512
0a8bd31258cef69ea3850500703731bd6602bd0aef634fe06a088fd8332b226ac1717a5594d448e6b135d8cd80a9d71ba2ddeb77901ffc585150605d1760defc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0ddef2a180854d3ab2f7992d89cebf35

SHA1
40c130822724be8115a6ebd82b5ca2f8ff557379

SHA256
5b87919ad2e93a18eec1a52669f955ca999a059dce64cdeabbf63036f837e5ce

SHA512
8920a14359f9d4223614933e06cc93953fa692fa429b20300a275ba739e73b58fd190a1e5ca2e830e190a48f5f3fd037b927c00f64cd777de5537046489553e2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fdea2247aea5e287dac7216235a9877b

SHA1
3650e3822655e917a81e0d2923cd09d3a0aa802f

SHA256
b539d15af643c7ef48c6601b9ce240bc91ae12a23740188ce2fcf87fb993c034

SHA512
d81b03967f7ee71d53f8553b63d2a1039d4578248209d5425699ed5d016d36c237d28b664235942445b97e50ce963fb09f13de010c05322b860f240a3c10d6e8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
2f668597da463be202ca14b010f88e86

SHA1
4237939474a653b84c786630792baf3cc4f61ca1

SHA256
dc62951e8be3f8373dada3fdefee55a7ac4fd6358a1f0a70313a21f0757a13ce

SHA512
c7acf17021c43579822751daf42d1db8c349892bc67dfa5e0a53f17d8a1a5555754f2d443f8abb8943e18c8e26d1dfe0b424dfe92be8cc1eb30956366b7c2841

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
28152ac57de6ed14ea5a6443de11fd7e

SHA1
8ffdb3f23569863721513ba779e95053574aa173

SHA256
c71015b24d1d031beef04b41711c7c94799c5fd72360b3403fb2ac6af851d7f7

SHA512
9161a7e0f08d1f4af9bff196fa29f10804e181d3de2a595553a7a10476c58844d7e1b155be4bdfa3b74abdc4b2df349c05eb998da43567ef29a695911c3ffdd4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.5MB

MD5
cf5cd90404d1519e8dca12bcb9ba50f7

SHA1
109a9517ec141fefdebca30910b3c2d6d0373c62

SHA256
83dc5df52c446dec1638994911325e602753101b444155a0de4e1c7b169c4580

SHA512
428dd81910d555fd5e16786c66d82c4f4e903967d1991d04b98ed00d57a1627e978dd2408dcaec4baa268cf4ac57b332f46240c6961fd937730d9d1c7ddc2181

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.5MB

MD5
b6f41f487c0afb1972b1210d0a632cd4

SHA1
2b0deb697a9e4ad4bd09c36fc9eda450d3f6ba68

SHA256
890490ce2585c091d48eaad42bfd5d3416a2e2ad53778e7e39ef174a85638502

SHA512
44302267a5b1935c745d8b487deae16d901b0e1a6e5992184f7278efa5d3ab43aed19284fb4e1c10139c16cd863cf8d7a9bae8bcf81cf236394d204950810794

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.5MB

MD5
4f62641499527f43e2000bf0232a3dd1

SHA1
30f6e4157cb9c8106b4b9691742d63640e522392

SHA256
c24addef613498764f19487384c3e6f741f666659a27612db5922db6ce91e25f

SHA512
1594c55b2ebb9ca8037b49b11ffd4efa3bff7cf9f46232d7072f02277ee92cc510e65d40f785b9639011b5d09d99510d7be55b30a97df85ce67e7812fbf770dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.5MB

MD5
a81ef919aafd9dc2108be05c3cd6fec5

SHA1
c60472dcd29b12d31a845dbd29b3556094790927

SHA256
fc2881a8e7d7758d1ae80d3c670ae6fad3aba6d053b615203d16da08c18b1223

SHA512
1bfc9c4b09144fe0c1abf817ba4d72b2a91c4f1e064158ea1d3a99c16bb62b8af8e2abd61b65e1c674b41c9fa3f473e157c9b2d1bcc97949972fbe70ed2f9a0e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.5MB

MD5
0c647509e73989a868dfc81ad5b01d42

SHA1
ad54a64609d5a6e76bb264d532c255bf523a4b63

SHA256
b68c8109bab44c0d3e6643f077c4df595774cb03388552f50d6c1c976e105b02

SHA512
e124483db95ea852512765539c0946a9478af40bba5a07bb9f3318ee3bea48efc0f3581a708deef5e561a510ba46dd85b7366716d9ecd354bf526aec91b9fc9c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
128KB

MD5
ddd1c12a629b75e5bab261616aecc571

SHA1
9fa9d55d417009814ba013599d5ba5b63f5d4906

SHA256
8c080a80eed434cfb8f2d3d5be677e8404cfc9d0e25468456a84444edcc5824a

SHA512
d506436e99d1dff6d287aee23aa5eb6773c4c6e6e690c6efa7dc6eeed2c307ef9625d5852657eb585d8b8dc6b3f4d4fb51c7bca44c4fd4c383b329c8e07d62bc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
3c6b39dc6c4107a68015e314ab7c29db

SHA1
f86fefa3489526c7ad780c1326344979709cc156

SHA256
e4b34720d5b2181a9c8ec09aaae5f5c526d7b6565d6dd3b6c56ee8dc5807f673

SHA512
230b368327a532d72835c22476af45794490e0923b39748fbd96c0fd6174907c526c642ad95a95fafa8fd0fb1970f58296dbf1c376ebeaf9f56d3cec3423f85b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
91aac83050d646492d14dd21f4644ba9

SHA1
3aa7fb33e19efa284ba568cd2f9582263d593406

SHA256
af2b92f787fc364fa3bb111f75d156b40327354d4b2bca5ee6e59769692ad752

SHA512
28998b35be5224d581486924920526011db8e0b0b553a24496be132d328663e16b1133fa155909228fb40ba8d2d9dd70d0708a59c2783f5893cbd0ad412d8287

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b6bb0808a5165753e615daaf20eab79b

SHA1
7bd1d50f0895c531ffe5921cf845ccbae75b234c

SHA256
cc9e99d5cfebdd6cc67dd48ea1721a5306a1050bb45fedaedc5d603a3267ff67

SHA512
e855003ba7c3688cb579bd92440b87c43128d2be07a999b1a164f6c84c7273d90f101ec21c1b0b4235e3c29a6998b1712ee85d197ca0960e9401845e216b5b59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
b2e7d2e40e31ccdd2724d5b09adec84f

SHA1
d8eee080910e00770667ca5f5ed3feda31dd09ed

SHA256
c4314c17759d789fa4b0cb54f13a284f80228090c9c5047bcbecaa82413c360f

SHA512
948e0716b7bc57193b388baf0561f1dc83dfc8e383cd92c4d6e00c9f53a728303d7d5aa807ca0f2568ecccd7a96fb63299a7254bc50aca071c3a28508bd47bd3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
e8c94161b74e08a6a60741007b89d435

SHA1
7cb09d07c54d0b392e84494ab94d9767d3fe6dff

SHA256
53b75a0141afcae519f8d61fdfcd7e4459d0a8ead2c6b3904209108ecb3541bf

SHA512
f2f659a0f9e3fa5679d6216707049588263b861e908bfef4ee5f017d7f1499053e1e8ba243d86fc18abc9856c4de5680f302ba32d7b66e342675929f1a639589

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
7bc1ed400e57b66ea69961b000bebf8e

SHA1
ffeb5cdd25fd8b5c92f9c7a50fc998f92c352b62

SHA256
f79b2b4fc2a01dea1ab7a89e42c0f34e13e51a7fc9b768217480042882f6e6c0

SHA512
bf3289835ce11ec84a7e64393f057a3dca815e67cd058ab3b2cdef1647c26f3a1913c54d222005c785d301eb8ec1812301db9da623e132105132b83f277614a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
897f80984d34004c919b2d895f6afbaa

SHA1
fa20bdf7b03cc5a7481570cab432cc63b6c90e93

SHA256
209ee414fbf74f08b75eb7e3e71abd1d548fca357aca02b7ef6b31d41ea5482d

SHA512
b3c4b3ab67b67bb8f7fef75c9ac0eadc2277501dd5f6d45c0ad709da8f1301cea48ae5c475514e238ffc630b139e1056e02136b8036ee3645a59de540d67346a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
099e6c29c64f339bace034048a23883e

SHA1
34f5522115ed37e3fa92dc3369bec00787e3a5a7

SHA256
d06ab13c01a9bbe8e4ee7be6da100272441a1e2c028a721f12798379b1af563d

SHA512
8639b3a45bac428efcf9c754c3f8c94784e7fb654edbff145f438bbd295264932eb37bf9ddd97d52245cb13f9dd7eb32b9857c374a63ab98edd310a6ec8c027b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.1MB

MD5
0bd87b1577773ff7a984bc842520a4f7

SHA1
87b99f3bb40afac466bcd26e30bedd744942fb55

SHA256
adfc495fde40e434fe63476aadccc4a7930a0815a4825381a41816b86996b3c5

SHA512
51aae6f8a5dcbab88a5fd5dc4dd31bf533ceadc1c5f9b5e848cee298d17d0c3462db2d58e2619107a35fed24f0db45e2e2ae92403244326a3bb1a8b0bcb9f8e5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
ee391b2f59ceee75d3b6ad4c92b4f3e1

SHA1
00ce1b790fda02c36ebd932f0c3fbeae6c0b1ee1

SHA256
e07a23cf61e1007d9996eaab1476a2961269ccd0e155b3753b10567ebedda113

SHA512
c7018e2fd3209aa7d5d109e6822e987004b6719c31a11748c098b85bd1d784ec95bde85eba43f47d7f17c40eb073fda4ff6121ba7a62c3a366e9c5cdbb24c492

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
d983a5e309564ff1a952037fd5e2a300

SHA1
08cc5ad8411ffe4a8062890b0912e815a690c7a3

SHA256
7e84c052e8df0b98c9f325a4790af49ba2bddab73791085dc5832d864caa6d63

SHA512
eb5ffe06a33e6a12fc2fb58111c1c5fd12f47311251425839f2158a2c1144253c25776111cf3c04b3be40c06741f7d17b105e701d02fc665f777cf3a78a00836

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8ae84ee177ee7bc2a945fd3d8d51ba2e

SHA1
8fe6e9b9ffa9b788b033a967baebf086215dc8c7

SHA256
2d952ca6739a6c774bcd352f8f500710e282ab2311aff786d611e1fc5da73360

SHA512
485989ac07c4db6af4c5f0267f9530e19d214a5bb48bf9da585db73784d2631ccbebb9e4348c7063709e21944804bc62fd43f5e2b734a0fae0a18f5761fe984d

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
b1534c0bf49c549656544f420b57db11

SHA1
0e9faed6381a85793dd83b2f416f678098fd0cc6

SHA256
27dbd0f772ebb75dd4ff01acc126b34f5459479674e1ead40920c72548f6af65

SHA512
d8bfa0885fb0b3404bc3d9e9eea020a00c6eefe0083ea1b45ec7e6ef6c70b3d3cc85223fe30dc7f7bd15078581a2e182bcbb11eb886286f0da618aa4bd152ac0

Download Submit
memory/760-251-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/760-95-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/932-433-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1008-366-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1008-365-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1008-320-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/1008-315-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1008-367-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/1008-334-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1600-285-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1600-153-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1600-145-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1600-147-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1688-276-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/1688-303-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/1740-127-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1740-274-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1740-128-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/1740-134-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/1880-410-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1880-330-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1880-305-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1880-356-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1896-363-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1896-424-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1896-338-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1896-423-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1896-422-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1896-354-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2104-268-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2104-261-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2104-266-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2104-311-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2132-257-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2132-249-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2132-309-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2164-430-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2164-360-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2164-368-0x0000000074728000-0x000000007473D000-memory.dmp

Filesize
84KB

Download
memory/2164-361-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2164-347-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2336-418-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2336-425-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-395-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2344-296-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2344-163-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2344-165-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2344-171-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2344-170-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2400-115-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2400-141-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-333-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-288-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2708-281-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2708-310-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-332-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2720-35-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2720-23-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2720-22-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2720-34-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2720-162-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2752-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2752-245-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2752-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2752-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2752-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2752-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2820-98-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2820-99-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2820-105-0x00000000004E0000-0x0000000000547000-memory.dmp

Filesize
412KB

Download
memory/2820-125-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2928-312-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2928-298-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2928-289-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2928-335-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download