2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 07:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
Size

1.8MB
MD5

6d074ccaa92da8771472ce8ec0f8bba8
SHA1

6a38b614cb98bed22245b4e68ecb4cbd8341bc12
SHA256

2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407
SHA512

d4cafdde20612ea274d4dc99da57e7b58d1d8e7d5c3e0edf5d1ed4c66b3afdfbb1105d51c44b5066b90601d612e57b335325930bdb17aec23f724275abec9904
SSDEEP

49152:nM9QPdxwfE7WlFwKAfzuTiDFUFkZxlMPdlR8v4UC0Eg6ET7M/I:n1PdVQFwKZCFggl2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2752	alg.exe
688	aspnet_state.exe
2728	mscorsvw.exe
2880	mscorsvw.exe
2504	mscorsvw.exe
2724	mscorsvw.exe
1292	dllhost.exe
2256	elevation_service.exe
792	GROOVE.EXE
1636	maintenanceservice.exe
2960	OSE.EXE
2592	mscorsvw.exe
2568	OSPPSVC.EXE
2604	mscorsvw.exe
2304	mscorsvw.exe
2260	mscorsvw.exe
2380	mscorsvw.exe
572	mscorsvw.exe
2884	mscorsvw.exe
1836	mscorsvw.exe
612	mscorsvw.exe
2404	mscorsvw.exe
1776	mscorsvw.exe
680	mscorsvw.exe
1100	mscorsvw.exe
1720	mscorsvw.exe
2676	mscorsvw.exe
1772	mscorsvw.exe
2768	mscorsvw.exe
1264	mscorsvw.exe
1444	mscorsvw.exe
2924	mscorsvw.exe
1128	mscorsvw.exe
2004	mscorsvw.exe
2604	mscorsvw.exe
2808	mscorsvw.exe
2628	mscorsvw.exe
1444	mscorsvw.exe
320	mscorsvw.exe
2348	mscorsvw.exe
680	mscorsvw.exe
1868	mscorsvw.exe
2680	mscorsvw.exe
1720	mscorsvw.exe
1168	mscorsvw.exe
2584	mscorsvw.exe
1616	mscorsvw.exe
1456	mscorsvw.exe
516	mscorsvw.exe
1948	mscorsvw.exe
1872	mscorsvw.exe
620	mscorsvw.exe
1608	mscorsvw.exe
2628	mscorsvw.exe
1324	mscorsvw.exe
2116	mscorsvw.exe
2944	mscorsvw.exe
872	mscorsvw.exe
1852	mscorsvw.exe
2184	mscorsvw.exe
744	mscorsvw.exe
2376	mscorsvw.exe
1744	mscorsvw.exe

Loads dropped DLL 39 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
1868	mscorsvw.exe
1868	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
1456	mscorsvw.exe
1456	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
620	mscorsvw.exe
620	mscorsvw.exe
2628	mscorsvw.exe
2628	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
872	mscorsvw.exe
872	mscorsvw.exe
2184	mscorsvw.exe
2184	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
644	mscorsvw.exe
644	mscorsvw.exe
1844	mscorsvw.exe
1844	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
2800	mscorsvw.exe
2800	mscorsvw.exe
2404	mscorsvw.exe
2404	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9a589f93db14c9a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_es.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_th.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\GoogleUpdateSetup.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_lv.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_fa.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_te.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\psuser.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_hu.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_hi.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_no.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_ja.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_sw.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7291.tmp\goopdateres_kn.dll	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6661.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7178.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8B01.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC94B918-A1F0-47B7-9DEE-0954F2B38615}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7668.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP818F.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2720	2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeDebugPrivilege	2752	alg.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeDebugPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2504	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2592	2504	mscorsvw.exe	39
PID 2504 wrote to memory of 2592	2504	mscorsvw.exe	39
PID 2504 wrote to memory of 2592	2504	mscorsvw.exe	39
PID 2504 wrote to memory of 2592	2504	mscorsvw.exe	39
PID 2504 wrote to memory of 2604	2504	mscorsvw.exe	41
PID 2504 wrote to memory of 2604	2504	mscorsvw.exe	41
PID 2504 wrote to memory of 2604	2504	mscorsvw.exe	41
PID 2504 wrote to memory of 2604	2504	mscorsvw.exe	41
PID 2504 wrote to memory of 2304	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 2304	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 2304	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 2304	2504	mscorsvw.exe	42
PID 2504 wrote to memory of 2260	2504	mscorsvw.exe	43
PID 2504 wrote to memory of 2260	2504	mscorsvw.exe	43
PID 2504 wrote to memory of 2260	2504	mscorsvw.exe	43
PID 2504 wrote to memory of 2260	2504	mscorsvw.exe	43
PID 2504 wrote to memory of 2380	2504	mscorsvw.exe	44
PID 2504 wrote to memory of 2380	2504	mscorsvw.exe	44
PID 2504 wrote to memory of 2380	2504	mscorsvw.exe	44
PID 2504 wrote to memory of 2380	2504	mscorsvw.exe	44
PID 2504 wrote to memory of 572	2504	mscorsvw.exe	47
PID 2504 wrote to memory of 572	2504	mscorsvw.exe	47
PID 2504 wrote to memory of 572	2504	mscorsvw.exe	47
PID 2504 wrote to memory of 572	2504	mscorsvw.exe	47
PID 2504 wrote to memory of 2884	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 2884	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 2884	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 2884	2504	mscorsvw.exe	48
PID 2504 wrote to memory of 1836	2504	mscorsvw.exe	49
PID 2504 wrote to memory of 1836	2504	mscorsvw.exe	49
PID 2504 wrote to memory of 1836	2504	mscorsvw.exe	49
PID 2504 wrote to memory of 1836	2504	mscorsvw.exe	49
PID 2504 wrote to memory of 612	2504	mscorsvw.exe	50
PID 2504 wrote to memory of 612	2504	mscorsvw.exe	50
PID 2504 wrote to memory of 612	2504	mscorsvw.exe	50
PID 2504 wrote to memory of 612	2504	mscorsvw.exe	50
PID 2504 wrote to memory of 2404	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 2404	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 2404	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 2404	2504	mscorsvw.exe	51
PID 2504 wrote to memory of 1776	2504	mscorsvw.exe	52
PID 2504 wrote to memory of 1776	2504	mscorsvw.exe	52
PID 2504 wrote to memory of 1776	2504	mscorsvw.exe	52
PID 2504 wrote to memory of 1776	2504	mscorsvw.exe	52
PID 2504 wrote to memory of 680	2504	mscorsvw.exe	53
PID 2504 wrote to memory of 680	2504	mscorsvw.exe	53
PID 2504 wrote to memory of 680	2504	mscorsvw.exe	53
PID 2504 wrote to memory of 680	2504	mscorsvw.exe	53
PID 2504 wrote to memory of 1100	2504	mscorsvw.exe	54
PID 2504 wrote to memory of 1100	2504	mscorsvw.exe	54
PID 2504 wrote to memory of 1100	2504	mscorsvw.exe	54
PID 2504 wrote to memory of 1100	2504	mscorsvw.exe	54
PID 2504 wrote to memory of 1720	2504	mscorsvw.exe	55
PID 2504 wrote to memory of 1720	2504	mscorsvw.exe	55
PID 2504 wrote to memory of 1720	2504	mscorsvw.exe	55
PID 2504 wrote to memory of 1720	2504	mscorsvw.exe	55
PID 2504 wrote to memory of 2676	2504	mscorsvw.exe	56
PID 2504 wrote to memory of 2676	2504	mscorsvw.exe	56
PID 2504 wrote to memory of 2676	2504	mscorsvw.exe	56
PID 2504 wrote to memory of 2676	2504	mscorsvw.exe	56
PID 2504 wrote to memory of 1772	2504	mscorsvw.exe	57
PID 2504 wrote to memory of 1772	2504	mscorsvw.exe	57
PID 2504 wrote to memory of 1772	2504	mscorsvw.exe	57
PID 2504 wrote to memory of 1772	2504	mscorsvw.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe
"C:\Users\Admin\AppData\Local\Temp\2c61f79534b9d4b7eefd145a2d53539f23a5dedca466d5cb6d08694ad6a9c407.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1e4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1d4 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 25c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d0 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 268 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 248 -NGENProcess 1e4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 240 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 25c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 294 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 24c -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 248 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 288 -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1c0 -NGENProcess 218 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2cc -NGENProcess 288 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 278 -NGENProcess 2d4 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d8 -NGENProcess 2b0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 278 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 278 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d4 -NGENProcess 2d8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 2e4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2b0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e4 -NGENProcess 2d8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2fc -NGENProcess 2b8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2b8 -NGENProcess 304 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 314 -NGENProcess 2b8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2fc -NGENProcess 2d8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 278 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2b8 -NGENProcess 31c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 318 -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2d8 -NGENProcess 328 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 328 -NGENProcess 324 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 31c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 324 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 31c -NGENProcess 314 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 278 -NGENProcess 314 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 340 -NGENProcess 33c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 33c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2b8 -NGENProcess 2d8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 348 -NGENProcess 2d8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 348 -NGENProcess 33c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 350 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 350 -NGENProcess 2d8 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 35c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 314 -NGENProcess 32c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 358 -NGENProcess 364 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 368 -NGENProcess 32c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 368 -NGENProcess 358 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 35c -NGENProcess 370 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 32c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 370 -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 314 -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 32c -NGENProcess 380 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 35c -NGENProcess 384 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2256

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2960

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.4MB

MD5
118ac0ca865ff644d6b98964f0083137

SHA1
67c68ef758800b9276440c6495c387835178ecdc

SHA256
8d88ab310d8cfa8e7611effb02706d349cbb4f2a1541258f446753d245a24c7c

SHA512
5e4cd8389d88b1a3c4c37cc5536c83386e52be6cee2ac703565274ab6471b921d929c18efda551ad13fbae2ebba183fff439cf4cd2f7ea7ef2675eb7e74adaba

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9f9a6f1e77a35a0ca72234ce4b307605

SHA1
db595384c5893346fd98a2e6239050ccfe60a0b9

SHA256
55e05804e041694198e8d25f5f3ad1226bd9deb3027c709f273ce0af4c5e729f

SHA512
c1c19ee8765e118e4c37e7dbeaa4dbf3bbb92881fef48a958dd3ee033411dc2a9adeaa2425a6cfab0d944cb4881d7bf94ccff2641a17dc45363dc6948f9e9c41

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
52aac539e1a74bfa3eee106891ad3544

SHA1
41468b0bfd4c9232ad85b9c2ac4b45c546893081

SHA256
cd93e3d38ecc85d4c2e1c3a27241b8af9d1652ae6ff5d59a3cf8bc5cdf57f4c0

SHA512
9b74bfb2d20070129d429f13b45f5957c9817ffa33cf4c4d34874db7e81c1fcee8cba736083c39fc2abe0ec2b5b16de10017630e830b672cc8126671fa3c4417

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.8MB

MD5
29f0ad48005b09af23403d6dd0181aa5

SHA1
b0a53b587625470dc608c537e1e6a9d7635a100e

SHA256
322d06c117d49f1d336d911729a458c8c9d7d3f2bbf52136d5085b4869b41c5b

SHA512
29a655af7ac7698060991e53e332caa33a2de2c8899e174a9d7165bb9aac8e6615c88c162d9242e9b9005250ce22fdcdef8efbf872f1f6eff7c8504f69d3ca68

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7854bcf7b53d74e140892185bb150c41

SHA1
1392d6d927c807cc02742bb9e8f876aab4277498

SHA256
2bab5f482b8948668242df0fd3da750791e4e4338a2570058ceeeda98a8cb756

SHA512
f249cb3276cb06311e451d4b5da956f89e4da346a9a258edf0010d7a9d645dd5cb6815cdc4de93957ce3f47a530dafd380e703b143e174e906cef4fda15981e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
19.7MB

MD5
774b81f08da6fc448032dea15dd13b93

SHA1
f5a306236da0751b25e891da9d59b4400d009a38

SHA256
934567c2677c107ce8fd0b1349b5c6938f680209b57fec8251cec74b29b5424d

SHA512
f7dc233759c95ec0ab4d2088280a2cd08bf360411dc7a356f285b736f397622839b52b8fa0f31ae61ceda32ea00679ca0a9d283ff17d5d7f5532a86211658a2c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
960KB

MD5
163a8c9b05fccb19c870f89ed6f5f512

SHA1
d15804cc9fbd25e428f67c16ddf67a145d165f49

SHA256
3cab0f1b4e59b2ec3906b59098fc0962638a90c10326199b4bca0c5f7a0e4c79

SHA512
13a247681ade71f603acca194daa97c867f21cf103bc9db7b76b9faf9e2629e406d079a0b683f41e5411a2d8f7381318b2787e5b847ec162b5776629c2fa904c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
a1097f17df15e42617db740630316e01

SHA1
975de13fd1da788d1512c28053a6e53ad54ca47c

SHA256
70a17c6282f83078694e65cd351d5d2a276d69339db7447de90550198736b48b

SHA512
ba085e473b2860a26fe36480143316149619b61ca64d02ceaec7dc07dd37c0db1abc3a509db2982d77b1741fb9464c31f0c0730a91d5c47dd36005aae00c5610

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
32ff019d2b14e9d93333449dc6f26cf7

SHA1
f4a469d16cac7af773bd549acf607c165e2ad5f4

SHA256
6180b8d6c26ae12b38a20b6f690b32a833f996f270d90dd82cc424a4fdae6975

SHA512
0174ba9225812c365490c74d591bb7909acad4feb68da376e7770294e48d73d3ba289d1619954c8f5f354c61c4b103924b5432c0524115f05c03085ab6db0511

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
735eae46e7197d8b7fa6aabb7bb27040

SHA1
65276aa0b677cf35367a3dd5b3680a98b4497f25

SHA256
5f0aa91bce7dda25cc8787c24499a97a290cba9d7ed738fc250d28ed572ff8d7

SHA512
6f6c5042552729f7bb31ab4208e2b0842281ee173344e3d7c5928a06fe77ea6077a813dd7d2a2a807b0adddd9505be74fab56ebbe180719d4a3b504f3f665dcb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45c81e6128137d2dd64a24415df7825e

SHA1
8c62ba683068096af5803ec64a9c875cb19d1c41

SHA256
5f94b61f7ac727d59814cc9b1652b3a1cc6e491203e4b09a5a95e21741c05794

SHA512
1d07154dbc1345118f2544399bac499a73136479c04e77bb3e4caa73960c72018dbfb61568cd2a931efb54a9cd477e4ea1aa88504bdb8568060f87fcc41b46ca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
7ecbc923bf521a71aaa2b43b7bb82874

SHA1
e2b5c8c8fbb0dd1c2ab4b1aa26d11203ee726774

SHA256
1d42ef1ea318bdb9603a95d4bc26bd51e279e82f8b3208e26b898d29aa77d359

SHA512
e093ea534a57422111630ba3fa81832091567c0c56c734999dbe0f837aad3e58fbb6cc781a0738cefb863f4b80da6d5c111fd104b0610b156adc1bf7c75d71d7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.3MB

MD5
7bf096171103c648103cd5d07f2b03a3

SHA1
c5ff2cc56202957a800f5e4da06289885c15683a

SHA256
3c0d1cf6972c9584eec267892d26b5ba3822023cce3c060cd100649794a97c7a

SHA512
4d8fb40fe2ba421836af385ad7607c3aeb72337a231cf34b4cde139fdb3a0d487e2d40afe53173d354518c1a65a50a4ab44b215e49c23f35e9a5b8e438ce5e4f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
14dff2deea40f5b238555acef309cf76

SHA1
236518ca96d32299278b1c147b8e182a3f9c5eaf

SHA256
b6dd13c8777d7f164bf7fe4520231848045ec0550f0d21cdad1b9e4e95a43541

SHA512
3fc00b09e103a6fb9b7dc81b4f6161d994cedb9c4470eeb5a1428dbc7e30e3dbdf692abdcc87724b8ba0c03eaecdfba2697386416dab20c6be6a37e34b9ef664

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
463b727bae2f92d650e046e0070aa35c

SHA1
2dcec0a740a102b1ea683d290f5375b5f1d5fbd3

SHA256
d118370c9d558b722deb192c57c79bbfa571f15d491d8e2de92e792555aa7420

SHA512
7b590de65dd39449afc1f4aba2a5916316deb21381fd5d90538133fefe2f5a05883daf0d0ef1b70bab05dfbcb6e34331f841c7b2e1255917e52b6725c7b3b323

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.2MB

MD5
13ccaec7b1eae68cde83b2e004982a7a

SHA1
dee1b4ee6868d2fe00166db56e0ef2ef0dc5d87e

SHA256
d7b1e6b33258d13f3c842a777f4103efdf5616ca9b04cff86eb5987246e46a61

SHA512
ab9a6fd9cb3abda137c3ebcdcdb9636e0d024b336fd99b70d15f7beceb22eb4b358704a6cc829d47d4e6a3a5a3f6cfb270e91d29e1073d2b938c0042847e27d2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.9MB

MD5
b829772db50cf2ab99134af608147760

SHA1
ce54586355256f46cad6e188b47f43620a015f86

SHA256
3cee180b14959504560f15ed8a067fe3e532afa20bed61adc84df9be926ce25c

SHA512
8b227daae5d9d7bfdb589941202383ace91ecf0f42d7ae2427ff3a6f2ef0589c1074d75ac9d159286b1c9434f2a2fa62cdc2613811277d1ac16d4ed1fda92054

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
2b63b7867e54312a329a3bdb54871e14

SHA1
2dd3a99b5a80aebb7165ef6b964ae92a6ef73266

SHA256
457714b87dfe75bb7bdf87e21d2b67a06abad5cf0baef0294dfb6a4e98e44d46

SHA512
e90f53166f7c35b770b9ac26aef5239e416b67a916f8e5ddbc1bbcd7d410e9ff06b1f1b9f784b0c071d522e4bff8ee7ba49d33062307e3f8bfc0cb67f209fe3b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
d26f245049229e956166890e47c6405b

SHA1
0463799d37b095e9437257a1abb594fd94b0c557

SHA256
d697ed6ee183e2c3339159e3f465e9c806eadd0c91550cdb7777de811c654fd2

SHA512
81c53599767663ad277298952db7c9facab61d25bd8531bc98b53dea5b051eaf6144bed017a6fa79479ab00a50dffe11fdae1c236b559edc42049bbe8ad972ef

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.3MB

MD5
340498aab6fccca18c7669e37633ec38

SHA1
7fa4ddeb0adbed31f69d533db8b07ec67716501f

SHA256
08cd5cdb14e470d5b74f586a766201813e01c7d3e4e7e82802fcd4161973e1ff

SHA512
1f4c908c041de85283d837f26266085955b8af567a9e03d28900dbb03559a4802cb098717ce2b0438860840dad850d29caaf3a834b38924e648c56035fc8870e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.3MB

MD5
6cb6b3ba2621f5b29bcd05d1d6e9b9a0

SHA1
8b94ac648ca0580184cbaf6f9dbc1d33c637c431

SHA256
20c37b2b813e1c11e947c63ae8f242c111c3c2a98f32e037a54ae42077df394d

SHA512
795b13a35ffb3a70745607c2af00d867481efbac43bd3d2a858f4ec31a0f9b3f01a7fd6d9fb34cfe940690c7802fc2970e8cdb90159a9192a2420ae97c5de8b1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.3MB

MD5
ce2247e007ebb27ff01f64ec236e03d6

SHA1
8c47caf78ee0dffdfa4d31b7cd2bcc7b725024a7

SHA256
99a656f7e0fcbe6e84270b32d8581d532503fec7f9c0ceb060bccc759038aa87

SHA512
682d6b6351d4d4ae53c391d1c4a0606e9e36d314a99b5190035f08804ab01eafb3dd9bbb69043b098a3eb0f0cb7669b4a895f135c2c1e503aa5e5f43f7ccef79

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.3MB

MD5
2ce21c70f93ce009e1501d1de67be2bd

SHA1
a515adf70e53b52f567180a4d21cc1b366dcf9a2

SHA256
52ef607258d5c42ca98e20d67d1c7b5eff2f5588d8eaac5f1f627593a6abd848

SHA512
33d72e6b0ea90364e9ad4abae3f9a49ac3a98fd60a0cac6a43c5508c2d9bae5579f5cc86f7fd8ffffc9217294a21864cf37eebbd36c18ec1614334545ee9099b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
dbd75469594a0c5bcc2bb2d349b3aa79

SHA1
5f78485a7d42e3e3c0c98a121662c900fd863b8b

SHA256
a74bb98fe050fff5d0e49a75f485873c06121a99070648c14725d0f2f300dec2

SHA512
5384d52c52712f21bfd03d6518b3a0c8b87d8a46a7facf40a690428722ff7e234e74fd75d9da12a7e4723a0b64e922d3f651c00c4870a932df6ffbcedbbbe5af

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e803197b02ec15cdc1cb455166aeb54b

SHA1
7330ff9ef3ef4812357582daca6f2af64a28e979

SHA256
3b9d75355cd223c0724a38f67bcc3dca174183bb4b7725720cd615bdf9c1d212

SHA512
c1f4322d66deb55e7b96f7e3093593a308734e0065f37234174cf8f874b1f65c2ec09daa51e6f1543247a025ddd00f45c6f99ce056eb624538d39dffcb6994d3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
b6103380f226f2431357a108be04aa2f

SHA1
ebdae4708977c903d29303a3ba7bc6be75d529e3

SHA256
aa366df6566d139de6d1273da867433c2ce9510779c68be2bcb34cd423bd90fb

SHA512
87dddc01e1e4ce8dbf5078c40e1f7edb657c81d627992fbf94c757d5261632ec8d8ad6e408b56b777890e4903296f52b2ed4d02b0aa727f6b512113d29d01884

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
0f7c5c84ac4078a8eef10a9d5e4f93cd

SHA1
817b5198e4fa88995d893ac6512b50641dd5232e

SHA256
3fc22f04ae8a9f2ca1c95c276edf225cc289b1aafa562910f6ac9aadb355ec68

SHA512
30359841b43aa2bddbe748caf5e29b139a9866901965c02097fcf12a5531151375ed843a9d416f48f2ce5317e6048b9dcae234f9306d605d5157870d66a78df3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
d7c05a3bd63d21132e4fcc99fa0fd2b5

SHA1
3306a38811c3ec1b2a3a5ad067f26c380875bb8d

SHA256
bd9b664dc00de8f1894378c793b245c90fccff1e51830dbd4095b783b8bf97ca

SHA512
63e609f84c180c8b5577e8cfa7bf90811307131bcbf2c0bea064ddf3a7fa23c4f2ea6130f98bf578959981f2ff618ac5792c37ec4eb6e2408a75b176bd42dc76

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
a73174af72987dc9379cbfde0996ba9d

SHA1
48852a39cc56a659077574dcf1023941a12c1da4

SHA256
fc10c1a27f9194b9dd2456c3b169218f7178e945b01a4793f680824bafb724d2

SHA512
3fef912301b3af1c80bf3d06f6a637855d628bab855504602cd0995c277b0237e82c55404308dd09741673243855b14cf5ccff15338b9104513d8716702c05b5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e8739c6be43ee7f23d099f6b15b42d38

SHA1
af964568458a4cc06f952732454740eaec1ac54d

SHA256
e6be6beb146d2308ec5a4c97c1d91f4e87882c5ca9a7715a255abff7b4529bf1

SHA512
28d4817222d6fe9878c031ffffa7ed3a6c0d2552af6b07887a84915696cdd52e610bbd65b16b013ec4beea5d4e94ccc046c936dcd9afe180d88afb0d2c813f28

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
23517667667d0ccc9e06ed92193d33e2

SHA1
231ae7cea76e3235dafdf6c816b48a5b46609adc

SHA256
9a6c2a3eafccc763dcbbe3698c9f97f558ad764a11e8e674f6ae2f9dc4dc6af7

SHA512
6437d98bc80bfcadefd12ad832d67235d9232fdefa57643e2f10bad7f83e11d53dd3ede7cf8688af884c2be25fac11ed2b7bde16e1cde683deb021ddf8f99487

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
8a49675f82ebffb0e08f8dd12582952f

SHA1
48ed4abc2c4a5647b448ee32682deeaa65ec35ce

SHA256
68bf412ba264326e9a99a3e42afbb40897aabada57cf2ef1d7d7778eb691aee2

SHA512
5fcf2becc189871676bcb144b1e49905ac51edd096d96bab2a83d8f745652ad4bdacf2e845fc0d9a5f18dd16531db4d0cfdcc0033fc15ae53a989f2a60e42645

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
f4aef246f19fef3cbb7169a64afae5e0

SHA1
87b9b5e8afb755743648e13bc62513d58926506a

SHA256
08dba9e67650321e8cacef00524f7122083a4431d78130f07565beadc3430696

SHA512
e8fa78eaad396ed2beaaf87fcccb6c83ba76ad9825889f0598a952f9edfc033aca8a14d367ad357bc83616518191ec50f6e96fd9c8f6a996415854b2acafed59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
a657ea4b525ce51662cb8b563c374ceb

SHA1
e7dd99a455deddebc9e20fbcf55766b38b05f40e

SHA256
b9d2552841975390394815b0e05ae1589b95652ff744baec360bcb7fb160bb55

SHA512
7ded4249a374e8c203094f9428ccdb5d4dbf74f3cd938ab37af15afbaa581644249c831a549a4f0d95b49f1700dab98c1a77ca3885cbdb00d4473ae093e8ea11

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
36d676089652a8a1137487f2366ae833

SHA1
cf36e3a1f59c18091593e5ee99312fd914a6d99e

SHA256
4dd475809ea7c5c8bd1aa8f97ad115ab6178366f55ae8a5df49926105e88353b

SHA512
84ac1e489eb3411d0b06335256f56c5e46d75e8951745401336c18145b19efa212ab36dbb5804b5885dbc7885e5ea5d5f7edc37d80854b393d815fa39b31add9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3e19239be7314c6ca606453c4ecff012\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
eeb96e56b3c923330552ee9428fba74b

SHA1
e1de14509f502569f2fc3b00d836465028c4bf5b

SHA256
9c7d96d6d9c511604ff1885280d5854d77459cd2e87f98c5129cd3ae0e520955

SHA512
93ad156e0747cddd85c74da42ea99afe9a3688bea11336ea260f1ad6505ecb5ded29192043bc52f2570bbed3bc927a10e58e7f79744938d7c8e0ad3684276daf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\808bb311d001cfbd449deb9b20e65d77\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad791a877a991ef7a0acc57ceeb0af34

SHA1
3e59a9869488f821c419227c358b3c389d0d3149

SHA256
84536c63d9cd438e724baf7edd555eb88122710e1d32dd893084608cbd2adc91

SHA512
c2ad96de195fa5e0ea6c4ede07a96a0afad24714293126e18a89ab2dd5a9f864b0cd0e4446346faee86a41d4fdf1de48f2aece56fc45b4cdac9666898ec47c13

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d00b6a7b01cf27314ab7b48c1c8de6ad\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
8b0af922b238d2a5126020e50b366203

SHA1
6ccad58f8ff50103665c9b47c90330790dcc41bb

SHA256
7bc4992ce23fbd5285aabd85abd270455d9bd9581d9f7a493ab8e4cdf3419e9e

SHA512
f2fbadbf5502a2c0046a8d4784969a451c6694d046e0edcb083d1b9235ee48242d2a0e1e217506ffa6f360d165fbd3734becea08fda83fa72d98f871a807a781

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
56b240ddb3e85188d0cc7713a6d6ffd4

SHA1
aa795f9b706122f9353b17270dd923ba86afe806

SHA256
511fd6c643cadb267d4b60b96d62c6c63a921da1b820d8c9b4c6f3c34d9dcfa2

SHA512
c6fdb89b3057a7947566ffe6c605a4783da767dfb56eb88cb48155f66406bdea0e043be39d4e8ce90123cdb45b8773505af6217eff4a564278359493a0a7ed2a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
55e7bec7149a3510e513f3d69042ebd9

SHA1
e22ef10fb4cdfc82ee82ec1998b8e93916096a3f

SHA256
d48416a654002de7ba465843b19ee2f6788e7a2cf5d744a16005f87d0fccc408

SHA512
da9b171cb0da6791cf1a98f5aaa681c7da50ee741d1063f98a524396d169ef8feb0776ccd393a1d9a84270426d41afcee605c754435409b46db3130a8664e613

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
8ffdd370735a21f3e1636a4d11fbd170

SHA1
1c5e6bb6dca3cf74240bf9890ecff0bd2f51064e

SHA256
0087718a00c129bd9c5b5dd5cbbe2252af023331e5ea6f4bc51b7d63ede2f5db

SHA512
744be55b2136ece16acf9dbc4154fe0a2d3375469b6cffa28c0b60871beba5b4726d4b5494f194dc2334125d6d7571ac7e4ca30507ba1903cd0361f731252915

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.3MB

MD5
7d5eb3f144807bd6b37682f92c4ac4ef

SHA1
160472df19648ac9d0699490cba7967334ed4b57

SHA256
ef1d0b2027845e113d1b43223383e3ad7b92d3231c13a095f1155cc10748bc59

SHA512
cb05ff5c7f2bd774771f71004c987257e066a32315fe01d8b84f712e8755c5f891847c63308a7d54db27f13b2db9cc845d65c548ce4ad179303ff5b3f4a16b72

Download Submit
memory/572-547-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/688-252-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/688-94-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/792-261-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/792-268-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/792-325-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/792-262-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1292-165-0x0000000100000000-0x0000000100212000-memory.dmp

Filesize
2.1MB

Download
memory/1292-161-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1292-170-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1292-304-0x0000000100000000-0x0000000100212000-memory.dmp

Filesize
2.1MB

Download
memory/1636-283-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/1636-290-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/1636-289-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/1636-284-0x0000000000FC0000-0x0000000001020000-memory.dmp

Filesize
384KB

Download
memory/2256-250-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2256-257-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2256-249-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2256-315-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2260-514-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2260-539-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-538-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2260-522-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-499-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2304-465-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-505-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-506-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2304-438-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2304-442-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2380-532-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2380-536-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2380-540-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-124-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2504-131-0x0000000000BC0000-0x0000000000C27000-memory.dmp

Filesize
412KB

Download
memory/2504-277-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2504-125-0x0000000000BC0000-0x0000000000C27000-memory.dmp

Filesize
412KB

Download
memory/2568-327-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2568-541-0x00000000742F8000-0x000000007430D000-memory.dmp

Filesize
84KB

Download
memory/2568-424-0x00000000742F8000-0x000000007430D000-memory.dmp

Filesize
84KB

Download
memory/2568-516-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2568-326-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2568-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2592-307-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2592-421-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-313-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2592-425-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2592-426-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-447-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-450-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2604-427-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-423-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2604-422-0x0000000000400000-0x0000000000625000-memory.dmp

Filesize
2.1MB

Download
memory/2720-1-0x0000000001E30000-0x0000000001E97000-memory.dmp

Filesize
412KB

Download
memory/2720-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2720-246-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2720-6-0x0000000001E30000-0x0000000001E97000-memory.dmp

Filesize
412KB

Download
memory/2720-144-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2724-147-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2724-292-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2724-143-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2724-152-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2728-104-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2728-122-0x0000000010000000-0x000000001021C000-memory.dmp

Filesize
2.1MB

Download
memory/2728-98-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2728-97-0x0000000010000000-0x000000001021C000-memory.dmp

Filesize
2.1MB

Download
memory/2752-162-0x0000000100000000-0x0000000100221000-memory.dmp

Filesize
2.1MB

Download
memory/2752-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2752-17-0x0000000100000000-0x0000000100221000-memory.dmp

Filesize
2.1MB

Download
memory/2752-12-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2880-113-0x0000000010000000-0x0000000010224000-memory.dmp

Filesize
2.1MB

Download
memory/2880-140-0x0000000010000000-0x0000000010224000-memory.dmp

Filesize
2.1MB

Download
memory/2960-295-0x000000002E000000-0x000000002E232000-memory.dmp

Filesize
2.2MB

Download
memory/2960-301-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2960-435-0x000000002E000000-0x000000002E232000-memory.dmp

Filesize
2.2MB

Download