a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
Size

1.8MB
MD5

2902a70a582b6d3464d130a14b20c1b9
SHA1

2acb1356f2e93ea040f109b7c1875730693789fa
SHA256

a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced
SHA512

51f84605c76ba82386762a46e858fdf0fb91c7a37bb1a61886da4ff61218a7b9a04d1857579fdb114aba8dc27c81dd20d96ea98864ee37b4c4b795c493406a1b
SSDEEP

49152:dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAQaB0zj0yjoB2:dvbjVkjjCAzJGB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2400	alg.exe
2532	aspnet_state.exe
2300	mscorsvw.exe
1972	mscorsvw.exe
1188	mscorsvw.exe
1540	mscorsvw.exe
2296	ehRecvr.exe
324	ehsched.exe
2144	mscorsvw.exe
2856	mscorsvw.exe
2080	mscorsvw.exe
2652	mscorsvw.exe
1820	mscorsvw.exe
1684	mscorsvw.exe
2104	elevation_service.exe
2240	GROOVE.EXE
852	maintenanceservice.exe
448	OSE.EXE
1624	OSPPSVC.EXE
2120	mscorsvw.exe
2760	mscorsvw.exe
1304	mscorsvw.exe
2124	mscorsvw.exe
1748	mscorsvw.exe
3036	mscorsvw.exe
2348	mscorsvw.exe
2560	mscorsvw.exe
2976	mscorsvw.exe
2972	mscorsvw.exe
2180	mscorsvw.exe
1276	mscorsvw.exe
1140	mscorsvw.exe
1828	mscorsvw.exe
980	mscorsvw.exe
1560	mscorsvw.exe
2656	mscorsvw.exe
1856	mscorsvw.exe
1976	mscorsvw.exe
1588	dllhost.exe
1816	mscorsvw.exe
1672	mscorsvw.exe
1204	mscorsvw.exe
1296	mscorsvw.exe
1760	mscorsvw.exe
1668	mscorsvw.exe
680	mscorsvw.exe
1412	mscorsvw.exe
2120	mscorsvw.exe
948	mscorsvw.exe
2608	mscorsvw.exe
3048	mscorsvw.exe
1204	mscorsvw.exe
2908	mscorsvw.exe
2852	mscorsvw.exe
644	mscorsvw.exe
2760	mscorsvw.exe
2764	mscorsvw.exe
2612	mscorsvw.exe
2928	mscorsvw.exe
1196	mscorsvw.exe
1124	mscorsvw.exe
2460	mscorsvw.exe
2268	mscorsvw.exe

Loads dropped DLL 45 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1760	mscorsvw.exe
1760	mscorsvw.exe
680	mscorsvw.exe
680	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
1204	mscorsvw.exe
1204	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
1196	mscorsvw.exe
1196	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe
320	mscorsvw.exe
320	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
1208	mscorsvw.exe
1208	mscorsvw.exe
1592	mscorsvw.exe
1592	mscorsvw.exe
1848	mscorsvw.exe
1848	mscorsvw.exe
1808	mscorsvw.exe
1808	mscorsvw.exe
2348	mscorsvw.exe
2348	mscorsvw.exe
2604	mscorsvw.exe
2604	mscorsvw.exe
1796	mscorsvw.exe
1796	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\37e3040c56fe8faa.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_ko.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_en-GB.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_fa.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_sl.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_nl.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_tr.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_sw.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_vi.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_hi.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM79F.tmp\goopdateres_ru.dll	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCB1C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBE11.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC561.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DE376877-DAD6-40F7-8C99-EB2D95BB4B59}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4F0.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBAA8.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFD14.tmp\ehiVidCtl.dll	mscorsvw.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	836	a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeDebugPrivilege	2400	alg.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeDebugPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1540	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2144	1540	mscorsvw.exe	36
PID 1540 wrote to memory of 2144	1540	mscorsvw.exe	36
PID 1540 wrote to memory of 2144	1540	mscorsvw.exe	36
PID 1540 wrote to memory of 2856	1540	mscorsvw.exe	37
PID 1540 wrote to memory of 2856	1540	mscorsvw.exe	37
PID 1540 wrote to memory of 2856	1540	mscorsvw.exe	37
PID 1188 wrote to memory of 2080	1188	mscorsvw.exe	38
PID 1188 wrote to memory of 2080	1188	mscorsvw.exe	38
PID 1188 wrote to memory of 2080	1188	mscorsvw.exe	38
PID 1188 wrote to memory of 2080	1188	mscorsvw.exe	38
PID 1188 wrote to memory of 2652	1188	mscorsvw.exe	39
PID 1188 wrote to memory of 2652	1188	mscorsvw.exe	39
PID 1188 wrote to memory of 2652	1188	mscorsvw.exe	39
PID 1188 wrote to memory of 2652	1188	mscorsvw.exe	39
PID 1188 wrote to memory of 1820	1188	mscorsvw.exe	40
PID 1188 wrote to memory of 1820	1188	mscorsvw.exe	40
PID 1188 wrote to memory of 1820	1188	mscorsvw.exe	40
PID 1188 wrote to memory of 1820	1188	mscorsvw.exe	40
PID 1188 wrote to memory of 1684	1188	mscorsvw.exe	41
PID 1188 wrote to memory of 1684	1188	mscorsvw.exe	41
PID 1188 wrote to memory of 1684	1188	mscorsvw.exe	41
PID 1188 wrote to memory of 1684	1188	mscorsvw.exe	41
PID 1188 wrote to memory of 2120	1188	mscorsvw.exe	47
PID 1188 wrote to memory of 2120	1188	mscorsvw.exe	47
PID 1188 wrote to memory of 2120	1188	mscorsvw.exe	47
PID 1188 wrote to memory of 2120	1188	mscorsvw.exe	47
PID 1188 wrote to memory of 2760	1188	mscorsvw.exe	48
PID 1188 wrote to memory of 2760	1188	mscorsvw.exe	48
PID 1188 wrote to memory of 2760	1188	mscorsvw.exe	48
PID 1188 wrote to memory of 2760	1188	mscorsvw.exe	48
PID 1188 wrote to memory of 1304	1188	mscorsvw.exe	49
PID 1188 wrote to memory of 1304	1188	mscorsvw.exe	49
PID 1188 wrote to memory of 1304	1188	mscorsvw.exe	49
PID 1188 wrote to memory of 1304	1188	mscorsvw.exe	49
PID 1188 wrote to memory of 2124	1188	mscorsvw.exe	50
PID 1188 wrote to memory of 2124	1188	mscorsvw.exe	50
PID 1188 wrote to memory of 2124	1188	mscorsvw.exe	50
PID 1188 wrote to memory of 2124	1188	mscorsvw.exe	50
PID 1188 wrote to memory of 1748	1188	mscorsvw.exe	51
PID 1188 wrote to memory of 1748	1188	mscorsvw.exe	51
PID 1188 wrote to memory of 1748	1188	mscorsvw.exe	51
PID 1188 wrote to memory of 1748	1188	mscorsvw.exe	51
PID 1188 wrote to memory of 3036	1188	mscorsvw.exe	52
PID 1188 wrote to memory of 3036	1188	mscorsvw.exe	52
PID 1188 wrote to memory of 3036	1188	mscorsvw.exe	52
PID 1188 wrote to memory of 3036	1188	mscorsvw.exe	52
PID 1188 wrote to memory of 2348	1188	mscorsvw.exe	53
PID 1188 wrote to memory of 2348	1188	mscorsvw.exe	53
PID 1188 wrote to memory of 2348	1188	mscorsvw.exe	53
PID 1188 wrote to memory of 2348	1188	mscorsvw.exe	53
PID 1188 wrote to memory of 2560	1188	mscorsvw.exe	54
PID 1188 wrote to memory of 2560	1188	mscorsvw.exe	54
PID 1188 wrote to memory of 2560	1188	mscorsvw.exe	54
PID 1188 wrote to memory of 2560	1188	mscorsvw.exe	54
PID 1188 wrote to memory of 2976	1188	mscorsvw.exe	57
PID 1188 wrote to memory of 2976	1188	mscorsvw.exe	57
PID 1188 wrote to memory of 2976	1188	mscorsvw.exe	57
PID 1188 wrote to memory of 2976	1188	mscorsvw.exe	57
PID 1188 wrote to memory of 2972	1188	mscorsvw.exe	58
PID 1188 wrote to memory of 2972	1188	mscorsvw.exe	58
PID 1188 wrote to memory of 2972	1188	mscorsvw.exe	58
PID 1188 wrote to memory of 2972	1188	mscorsvw.exe	58
PID 1188 wrote to memory of 2180	1188	mscorsvw.exe	59
PID 1188 wrote to memory of 2180	1188	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe
"C:\Users\Admin\AppData\Local\Temp\a67bd7b710680b7fdb62fa156c77fabfd71b6344ea9e9238c0057622a2ca1ced.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2300

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 1d0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1d4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 25c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 25c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 1d0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 1d0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 1d0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1dc -NGENProcess 200 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 234 -NGENProcess 258 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 200 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 200 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 250 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1a8 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1a8 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 284 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d4 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 298 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 290 -NGENProcess 1a8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 29c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d4 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 29c -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 2ac -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 1a8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2bc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2bc -NGENProcess 1a8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c4 -NGENProcess 2a4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b0 -NGENProcess 2c8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 2cc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 2d0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 298 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2e0 -NGENProcess 2d0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 290 -NGENProcess 2e8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2a4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2f4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a4 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f0 -NGENProcess 2fc -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f8 -NGENProcess 2c8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f8 -NGENProcess 2cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 310 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2fc -NGENProcess 2c8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f0 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 31c -NGENProcess 314 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 304 -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2fc -NGENProcess 32c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 328 -NGENProcess 330 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2f0 -NGENProcess 334 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 330 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 33c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 328 -NGENProcess 340 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 330 -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2fc -NGENProcess 340 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 2c8 -NGENProcess 34c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 348 -NGENProcess 354 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2fc -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 35c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 358 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 354 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2fc -NGENProcess 364 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 36c -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 354 -NGENProcess 370 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 374 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 37c -NGENProcess 378 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 384 -NGENProcess 370 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 378 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 388 -NGENProcess 394 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a0 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 384 -NGENProcess 33c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 378 -NGENProcess 3a8 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 348 -NGENProcess 3ac -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 3a0 -NGENProcess 3b4 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3a4 -NGENProcess 3b8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3a8 -NGENProcess 3bc -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3b8 -NGENProcess 3c4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3bc -NGENProcess 3c8 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1664

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2296

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:852

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:448

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1624

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
5a295a0ad2fddc0664ef70b3a2f70b21

SHA1
31a3df62692a742199e792ca671beab1d5848053

SHA256
492cfe70412f499eae1906aba5dfbddbfa76c5ab8d6b4e8c0a03f5a02695bb3d

SHA512
fea91dc7c3f5b1e9fde8dfb3fc74a8ef548f5f393ac8197da2d69ae6ec10b02a80126d5cb3afde5c7834867031f0f27314de77204670d755ee82fa2c9c437481

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
121f499f5a0367ccdc037cca9025c19c

SHA1
fcf8bc8f12631b070615197970a26a8b3d906977

SHA256
d650957db4265be06d3adabe7b87a8a3ec1f4cabe6ef3ff569a85c6d5c82ab15

SHA512
7da0ec4a0eaa4156676fbd7ea7f5ce43ecd3673b367052875a877efc48eb750d89868192c6aa2b80eda3a19a51a9822a5303ada68c71b38cfb79135d3202a888

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
b3fb77a3a61262fb03601f76987e1967

SHA1
a385442b8923a584bff5e7bdd31ecbfc3958b6a8

SHA256
ec93b75309e419ad8e4f73343dbdb8b00f3bad1942e9e6c0db690eef78e705ee

SHA512
f5fae0230a49b3efe0288947939322688dfc237ba13ada6d889536dc2849f6319b828de9ffb2beef5ec12e4212fa2482d45a0310edf347a8aa23b94ec02dcbb5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
2705369b1440a489f5a85c9fe2fdf893

SHA1
18e4aebafa7071df6ac2b3cb012ca5eda651fbdd

SHA256
e80f7bca406acfe40e3f6698ada853c13d8056eafdca3751d834d5ca575905cb

SHA512
4a66ad48e9397df1ff9e947b1c9de830506609c1d007a56f94c9c302705cfffb101162a1090e21d968de802a68a5fa525df366714f014cd3b3dae05d469d5a2c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ef50bb75a20208d193769d33263c3e8d

SHA1
43cf56d8234c06f7d5f005be196fdd4d96ee25c6

SHA256
86ddc9b22823b2cd896090110d36206cc903850060e881068de54c054e73353d

SHA512
30ed4863e4a76a5d8536b1a9edfa6c77412357e2e3ef8dd7ffc3ccb0459e5d54c418cb20c7f313f653f3f77202126f93be16530e92520493ef56b5cbc33181bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
13.8MB

MD5
c2f78fa4940c1d9bfc70adedf32af525

SHA1
7d51d3ffd78850e554f734d7a23de3ca90a50228

SHA256
a1ad276411cc53431ba1548e35cba6004d9468ba93ebb1d7161229f0f1b6f613

SHA512
679c2c015948edfc08e30d67cd90060bfabbe1b7818ac4a54b68a72a16cf961d0107e1772ffd8b936f35b17254e9d667f00f8e24a0960a94434b31edc6b82522

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
1981e43d6dddebe2c9fcc0fc8cea99e5

SHA1
fcf49584bcdc62d87d75d10c1683791d3545c146

SHA256
2d890665fd96c717d89d940bab565d1c133f5ced308d813bad009bce37a604d3

SHA512
7fedabe5035b74e1d6f0a10fa4aa18a3a7e663a9534cda0d89dc6d871cfbbcd858eb9394d28270e2f8d6fe9b04efadea5e589e3056cca33ee06d15dc82e890d0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.0MB

MD5
c724882d88538c9311fe30ba78b9381c

SHA1
57b6a731d9d9bb1d02148538020d8a3088e9690b

SHA256
a7f4df7c02b864c05b03c3397d03f09e1038aa146620678a2bd934caddf5194a

SHA512
5e2a2b52a5de326544a61c3b35af569a4fe17b1b7ffb0ee117fa701dbedad5072a73f93c60aa3c34265d08128e87d510745e262324235561f72227f0cc6b40a3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
e74684769fc1fc00b5f1531d750038ca

SHA1
0e0202833127aceb20cf9d019dae67bd05a3f426

SHA256
d4ce90ad7227c2c34d4b6842c7edc46c5a5118e353550f7dde79f6730e813c36

SHA512
b9194077d545afe411a8725d9da7197c3771d596b202df94c79fcb40cf1a905d2e8a329d6b4915e96ee10b16eaeeda1245265ba8ac79d9ff9d8f784ee1cd22e2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
f1488be75dcd62193fb12dbf6feaccc9

SHA1
7d6bceea146e340d89ce1900e0deb200492e80fb

SHA256
9cb7e6aeaf698c24675e5fa052ee96a8777654c23c53660b7d4b38c7665a93e4

SHA512
b4f2d6613e65397cf25cdfb1537e2cbb4f3eb040937e4fbfe8020e6605e2cdcdfd17a3b1f8e2f485a28dcc85c164c7292e32993eb8a5627df679a7b5a6d5ee44

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
583KB

MD5
75af79245a8bbcc4d2c0f0d2afc309f6

SHA1
eb0a48fcc7e617671fb64434b140531e13378bb7

SHA256
436714639d1f98d74316b796548194c95167b29917edb41f04a926d749aa376c

SHA512
619e40931cc23c9a3e2fba7eca5ebec857a19decea3df5fdb0d4c0d2091ac97d588791b85447a8c264bf599cc7c99ecf5dc0ff3361cad4d5576009d9defaac42

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.7MB

MD5
411b0422b028a9fdcc2067db8c9ec03d

SHA1
6adaf2b567400b724000bb20c7bdc73828259632

SHA256
2fdbfb89c048db3e51ad7438e145aa679b6013d27ff80966bc6b1d596888ff41

SHA512
f557bd56ed8a403076ee9aec5eb05e491ddca6a2ea515d300dbbc912f455c6c1e1f73b17aed4a1215f2800825b75294bf5bedabfee3759f5a82f9356d535e911

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3ff32a4cc470e9547ea9e3ea626524d0

SHA1
c163572c05916ce8b82e4a0e40b03bff41d17911

SHA256
3bc5b4aa63b0e0a945499ae4b8f17620ebd7e58761cd775ac89bf0f5c21b1a33

SHA512
995d82bcccf2d87acc575853c9e5698783dc6ee0923543d3ca791d335cfad9a49e33954da226443e3b39cf86067e4916a9a7e42642a2341013d5cdac01fa93b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b6bfafbb4451c1e0875c186dcd7bed7d

SHA1
39af20f6b0f0d855c5eba7af81bdbc473eac449c

SHA256
f318f2773d6f8b55859a05f3af50341ca459d184a927573f4e6b10e4c04f3534

SHA512
7c6f2cc8908c3160b5fefa130d7eec317328a567e805d5e08802df04cd8c639c05957b13caa69830f95a921cd644b5cc74576f6984db9f608630642a42109286

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
c6136584279adb2e16e7ccd2d501f64a

SHA1
4e5c7478284f436d27ae901d66ea67ef1b7a8c44

SHA256
3aec9e6f3d8431f2c5b92260fb47f716bd4e9e4c91c9a47f920e1a5aad0561ac

SHA512
77229ceff8666c10a1d9804aa6e630adbb72a1608ad19ec83657c1d35f1a933e45fba3e1c909cd071bd18cdaeae962bca73108ce2ab75713dbdad7b351c93491

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.6MB

MD5
0c92748388f4778fbbe4e2b106c471f2

SHA1
a55331da962ebb52896c2056aaa55067d5d00b66

SHA256
d71b4601e64b3514982babaeb24d7a88d0fafb5111d62c2c27df9a11d83bc65d

SHA512
51e42c77c2ea8d1a67834de9f1055a56deca4b60a8c3cd6f535aa4e43d7d78e22bf009bcea3cb5c1403938f7773bdfc23ac793cd4b2466af64acafc1bd2c6224

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
e615fd86509522aaabbbf30baa42dce4

SHA1
b1d8d1451b926ee3d279ae311efd6b28a3338965

SHA256
188217e8318baf5a57efb03965c21a8e42b1d9311ce42b28c757d7a93725289e

SHA512
b0bcf4d3c1a94376ce108123ed2f8172182c62b8f815404f78ce6496e21bea468f3bef1f9cf6d50f58752f5c87380a370cb4ecbc6d04757131b4bc239a2658f8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
9e5b88c6b576e3f11bbbd6888d26b903

SHA1
84da7de5051c49270452cf4fb08a8cfbe88105a7

SHA256
ef8bd8b09a506926aa96c1940cd412c24be33405359406973e9f7ed8713ee84a

SHA512
f346940c70c3ab7fa8273061a1edd01d7d33b863f9f2ebecd9ada637ab4686ccffa3a5f89015cb2e24e399ac4bd06a6d88a7193d03fee39fe8f0713b501c7848

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
8d5d6325fa6fd308719060a6b0ffb3d7

SHA1
e786ff44bd0aa783456d43a1e12df4f340e8822a

SHA256
34e462d9cdc8d605ba0e8694f42ed721a72f4a246b9051adc4840eeb3d1f373d

SHA512
2c3cd2d315ac187a06c3fdbc0a2aa149aad9ae50ba436b86e4bf2a29f123320915b6d9d131f549662042400c1a2d9c7942b3b4388d5fd33b8267fbb92624c508

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
2d64d995e5aabf42b3224625b6a4f3dc

SHA1
092c89b41ff26c56ca5fdb44022bcf474a3e732f

SHA256
607bb83e195ed6048ecd4d277575db85832b46cd49d5c62c2800d6982efcc262

SHA512
7421a76f87066ed0c6de754caba7bd30c19cd815c22c6057efdae234971f63a42eb14a96fd115fa27c2a414e72bce97e68b16bc2bd97a6a1a08b3536b97e4e92

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
fe797525f955243f5882cadade6d5459

SHA1
5f74260b7765131111017c0515a59df9fdb72795

SHA256
6c5cae464ffd16ce81d868540af838b512779acabfbb1be3f31fff81019329af

SHA512
6de27245928d3f3d47a90ce683b3416783d0ecceda2c9823f2751cb4531fcf77fc90e3ad2adb6bcb3ea4e12d7419c98d8e13f15a6ef5311d90a237949546f8ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
ac958295ddbb0cc1e0e10b926d20438e

SHA1
df1103e782c27c4018e90e4bce635a874c10be93

SHA256
0cef2dea205803e070f902b43cb9a86b4c007b9147c1ee5a267670dd3550078e

SHA512
8db9f0b095faef4b2fafc1b827360ecdd42f67ebcca6d674a6e6887579162ff8e5245ba9e9386146345e427dc5493b936fc9ac670bdf38ca3591b3b24e4ccdee

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9a5979a3eb5fcd4f3696627e9de4d7a7

SHA1
633e1a828bf950af2e2b0dd4aaa9c309c1eae821

SHA256
bdaeef37a61b81186bd686b79bbb102b25730041f90a1fa684b51a9d69bb0207

SHA512
872f6a67f2941a836bd803edc1411f729c49fcf2837d5e959b41a070c02bf1037726c962790924c2813d48acd11a239c4dc83f77789998ffc0b85b06305095cd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
5af3443d50036eeebef9a53c860abe4d

SHA1
fe4bae599e63445451747a6dfa43c8dbe4135856

SHA256
48b2d958040e45e7a5cc6b709a74834c5f401d5e36c65c4fcaa46b689544a8dd

SHA512
4ce085498e35e6e345fc35f58cf8336c14399fdec8dd2ed1bc000b39c61a5aa9ba10c0d370cab3efa3c63a3e434e49a87a04d54c2371f79832f5ae6ad99d2a31

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
b9daa472a55d1a5fd29b95df1736270f

SHA1
67400d5d0d51bace3314921f93469b8169015a44

SHA256
ba30b3a65f616998fc9ecc19e561fdb73ce22cb7b72afd8c7950d8ca87421060

SHA512
f900f8e0e0c526fd6f7892e9ee112dc4a8b9844e23f47f27510fcbe98f4f34fccc002fd94e5a2a004434f323e36ff5886a776a730b42654a030168d3b608bc8e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
e911ba633288d6a3a62f1b23377319a0

SHA1
30cf14c81cdfb9a2f5c17e4c29f42973d328eb37

SHA256
b34c8e0392c6c874e2fe5c6792a7a9304237949cb50ced06507652099ddfc10d

SHA512
69333d7bfa16f4b6db01b1149fdfe03b065b1bdbe14bed9edc651e187cec204886d038c717b040b79dbb5a0b27ee36f5f6379a0186a531b80ed36b7f49cfc13e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
14bdf03d3c0a5a926341a71d9d27ac6a

SHA1
1d63f79385db74fd87d30afa1471facbbddf0ffa

SHA256
a1072f0068e2049472f78eb21d5fbd8125673afbc02ba563a56def02589acceb

SHA512
608165380f788b4cc270783adc28016e5da7e5916229a877d81aa798509bbb2edc6b7b9433397e2d5fe0f1d2aa850d0bb0b4e6a5246a695d725ac1196bb21d59

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
5bb7463e9d7449b583591dae227b0f03

SHA1
d9f7aa5e09d951f141deff21e6b6e24847cf23a8

SHA256
51cc47d9e3d9e975b3e12c55bbec032ec08202c8cba57fb0422874bf50118bd5

SHA512
515b25648bbdc95b341421d5ae64ea040aed32b8a6551c3e6c11c61016fbdbcbeb82db04bffc8585267b6f57412b0efff042584e8a28af409c423f1528a7f680

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\32daa28304160a5a70a8527d59eda038\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
33a6fc9a02d23824dbe92d8f5dbe18ac

SHA1
27dcdf0d2870d17a49cd1e846a45627cae578f98

SHA256
a35add6a262685347790f317ecfeed14372649c6170b0b6bad2d169badefbe51

SHA512
a34e9ab9b2d76b2b24317b63ea2225bb40a2f75de94d6756883ac0090bdc89433d042f02b91155c528c6a75538abcf923390fa3c393db64b3e8d9e9dd8cbb75f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4d33a27b7e66f1b086ccead46d7cf1a2\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
3a623fd43265967a7325a726fb48e092

SHA1
1d2ea75a0b9cec09c8539d26c40ffeee006c2f47

SHA256
d42c931e0975af1e6fbbc9ce62ecebd20a1fe2401796b162531f4f425998367c

SHA512
77150204b60389b586ad11ab975e33fa3ba6ebb178b8896c286bc3bbcd5b9140f6dcaddcc947571e1c6f26db474a998a8449b93130f7281c0c0220c2a7cebb58

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9c63919de812abc2c7ce66b3cbf9fdd5\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
953a5b99001186aebc9ce2b1cc96ee89

SHA1
7fa74bca27915491f847fb2f54b79e2a94ee9a36

SHA256
8464a4692cc2fbdcaff79621aeef6cbb1b820915787175c57bec89af7a2eb1a3

SHA512
e2511e48d4f62cae80e92b4f281c6d16ac5e7572de6d69b1084f0bb42d7440c8f388daaf0c8278c6ae17041c4ff8ba8c7810cfd2eda1736ff1262680ecd38f14

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cec4b4fcb56768850aee509fe1360f39\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
9b84f97b4726fe9e9ae0bf7ab977bf13

SHA1
1286a35cedcbbb27d1ffb50b4719d1dbfca76611

SHA256
78210b7524e029b2174946925bbe115890c09233450ecec640a7c492324da371

SHA512
4a56fa2f8a4299f2f32f3b09bfb8d3b35f0758eb6408931965d41a1324a1b2ea0ab42323ebba5ff68501686348237942d77b75f1e943d90aff3bad2681269148

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
05b0407ba9e1c7d1b3fa0981ad4624df

SHA1
4d026ec4bfa4e327b5eb1e09970817411a294b8b

SHA256
8281e9022da8871218fbe0b74605c70be30b8ea2052e8794be932ccd9714ea5c

SHA512
e5f05b0dbc9922b85ca4c539885b059257de83a18dad19628ef02e8936fb70c669645fb4f5cd0ef351563aa38a8d766a75a9b08390f7885fd07e92a97a176d1b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
b5f215c999b776ec5fa82dd839b896c6

SHA1
624a97ccc13b35204c78f1a5535d3803ee2840fc

SHA256
4c5be0fe764beae2d900c012bf08c238022512711fd8bf57c6dc9e5d5bf8fce5

SHA512
0122574a745498579d148b1bff2711a8014aeaef2316b95c3bce89c7107f7510e04ef173513c63825c7bf62a0b46ffb9f57540900ebb029927b93db68a2fbde4

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
e238ff556c8ec94d1aabaaeb68f4625c

SHA1
6d9129d61357ef20b15edc004059e62c3ad537a1

SHA256
bd5e4b1a78d68a65ea384deadfa82f278c367b58e4c3aa2b3cf96f73df0e9619

SHA512
b434a956926df735ab7810fa5d4b1f3aa51d87e9cef139579bd2519a6fdf3f771e9dbac3943936b33775f9dc3bd38bcac4936e5359153a5ad6da306a2a17948e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
68211e64124deafe271869566561e264

SHA1
2cad0ac8d555ab03eda43a4c8b2f68cac02ea5d5

SHA256
a629551a3680a477834db772853a8065cb423872ce57dbbb48a01eab42372b9a

SHA512
1d4c2af4a5a4e3d336e1092de298951613d83ef1efa3ccf16a096bd6222b17c87f29d268f1704ba75d9a5dda80dc56024ff11a1d3b52fb37d177b084f29d502c

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
29ae16ea060cfde451a9a0c3166ae1e8

SHA1
9fe56b071732cd2491498d967f27ab4bfd8a7784

SHA256
10990d0b66c9f669ba3d38ed134b6e33c9e3f0f9c356116810d8cb075e0adaed

SHA512
2ac52510d17be7dd1ada58cd59f063ad9b25ca1e99bb9cbecc24904db88a08ceea10964272ec226169a7032d3bfbe6b409ca7341c57ec665ccd510a128164679

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
896KB

MD5
876dddd94b74062981874f3f3cebadba

SHA1
c6a949fd596156180f9aa9fa9343445ec0f9a22b

SHA256
7cf4559a69f6362f907354e997e9b0e2687a3a4d9ca4ce026c29e80d9832f3f5

SHA512
1329a7cbfd054878130ae85c7278973e6a6904ced83f50c9a41bf1e61ebc313d4e469f96bb8ff08baf09d22b7acf7ff324af6920f0101cd0ea8c5c5426b1ea13

Download Submit
memory/324-177-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/324-173-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/448-399-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/448-393-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/836-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/836-1-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/836-6-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/836-253-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/836-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/852-403-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/852-378-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/852-384-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/852-404-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/1188-124-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1188-268-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1188-125-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1188-131-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1188-130-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1540-141-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1540-143-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1540-279-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1540-150-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/1684-340-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1684-348-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1684-352-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1820-331-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1820-337-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-325-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1820-376-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1820-390-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1972-137-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2080-304-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2080-320-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2080-321-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2080-307-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2080-299-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2104-354-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2104-360-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2144-266-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2144-272-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-291-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2144-265-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2144-259-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2144-258-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2144-289-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2144-294-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-370-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2240-372-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2296-160-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2296-179-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2296-306-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2296-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2296-168-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2296-167-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2296-285-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2296-174-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2296-254-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2300-96-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2300-97-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2300-102-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2300-122-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2400-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2400-13-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/2400-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2400-34-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/2532-93-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2532-176-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2652-335-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-336-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-310-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-317-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2652-322-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-292-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2856-295-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-274-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2856-293-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2856-284-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-281-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2856-270-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download