410b643b3afabfc5e3faa8b0c0b23e327a86ff412db450024eb79ed4cf3b283e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc4f93a10c1e554371fab1900c0767b2.exe
Size

672KB
MD5

cc4f93a10c1e554371fab1900c0767b2
SHA1

e6eb72f240aa125c4dea17ef1ede9c8e7e51d7f3
SHA256

410b643b3afabfc5e3faa8b0c0b23e327a86ff412db450024eb79ed4cf3b283e
SHA512

c88fc62b975c689813d1428113b7e67774d51c33fbc605ed6d700a8e4a405a937b116dfe1a215123b7aa52a92a11f8aef735a533f69ef6684e388f99f00c8dfe
SSDEEP

12288:meBNUbTVO86UCHruRdp+WA00SKCpVRwfiXSVUhbxk9e/pJu:mJIUCNd0nKwYKX+UhbW9eM

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 41 IoCs

pid	Process
484	Process not Found
2584	alg.exe
2636	aspnet_state.exe
2420	mscorsvw.exe
2108	mscorsvw.exe
1776	mscorsvw.exe
1524	mscorsvw.exe
1052	mscorsvw.exe
584	mscorsvw.exe
2476	mscorsvw.exe
1628	mscorsvw.exe
1884	mscorsvw.exe
2992	mscorsvw.exe
1764	mscorsvw.exe
3064	mscorsvw.exe
1812	mscorsvw.exe
2944	mscorsvw.exe
2188	mscorsvw.exe
1908	mscorsvw.exe
2600	mscorsvw.exe
2824	mscorsvw.exe
1456	mscorsvw.exe
1776	mscorsvw.exe
2788	mscorsvw.exe
2336	mscorsvw.exe
1704	mscorsvw.exe
448	mscorsvw.exe
3024	mscorsvw.exe
2344	mscorsvw.exe
1292	mscorsvw.exe
2208	mscorsvw.exe
2948	mscorsvw.exe
2616	mscorsvw.exe
2308	mscorsvw.exe
1576	mscorsvw.exe
2708	mscorsvw.exe
1888	mscorsvw.exe
1444	mscorsvw.exe
1556	mscorsvw.exe
3028	mscorsvw.exe
812	mscorsvw.exe

Loads dropped DLL 32 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
1764	mscorsvw.exe
1764	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
2600	mscorsvw.exe
2600	mscorsvw.exe
1456	mscorsvw.exe
1456	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
3024	mscorsvw.exe
3024	mscorsvw.exe
1292	mscorsvw.exe
1292	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
1444	mscorsvw.exe
1444	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3452737119-3959686427-228443150-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3452737119-3959686427-228443150-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\G:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\H:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\J:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\K:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\M:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\O:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\W:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\U:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\R:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\S:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\L:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\E:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\I:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\V:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\N:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\P:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\Y:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\Z:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Q:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\T:	cc4f93a10c1e554371fab1900c0767b2.exe
File opened (read-only)	\??\Q:	alg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\kejhkmfd.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\hnandofb.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\wbem\khknhnad.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\idolnjco.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\hllglnai.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File created	\??\c:\windows\system32\knhhnjmd.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\alg.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\syswow64\bphknfaf.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\kphbmbde.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\hbfphdfo.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\cecnfgcp.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\pmhlgima.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\ddobdepg.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\cokkghde.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\jmmijkhc.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\windows\system32\keamapie.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Google\Chrome\Application\elidehmc.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\acfgohqg.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\jmofaklb.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\clmaedbq.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\fhfjhegk.tmp	alg.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	\??\c:\program files\windows media player\fngaafhn.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\pijgofaf.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\DVD Maker\kihlpche.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\obkakffi.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\miqfjfol.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	\??\c:\program files (x86)\microsoft office\office14\aikcnmmh.tmp	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF7A8.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEFBC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFC0B.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP416.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP14F7.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE9F2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	cc4f93a10c1e554371fab1900c0767b2.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\lpjphlga.tmp	cc4f93a10c1e554371fab1900c0767b2.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1BEA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe
2584	alg.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2248	cc4f93a10c1e554371fab1900c0767b2.exe
Token: SeTakeOwnershipPrivilege	2584	alg.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1052	1524	mscorsvw.exe	34
PID 1524 wrote to memory of 1052	1524	mscorsvw.exe	34
PID 1524 wrote to memory of 1052	1524	mscorsvw.exe	34
PID 1524 wrote to memory of 584	1524	mscorsvw.exe	36
PID 1524 wrote to memory of 584	1524	mscorsvw.exe	36
PID 1524 wrote to memory of 584	1524	mscorsvw.exe	36
PID 1524 wrote to memory of 2476	1524	mscorsvw.exe	39
PID 1524 wrote to memory of 2476	1524	mscorsvw.exe	39
PID 1524 wrote to memory of 2476	1524	mscorsvw.exe	39
PID 1524 wrote to memory of 1628	1524	mscorsvw.exe	40
PID 1524 wrote to memory of 1628	1524	mscorsvw.exe	40
PID 1524 wrote to memory of 1628	1524	mscorsvw.exe	40
PID 1524 wrote to memory of 1884	1524	mscorsvw.exe	41
PID 1524 wrote to memory of 1884	1524	mscorsvw.exe	41
PID 1524 wrote to memory of 1884	1524	mscorsvw.exe	41
PID 1524 wrote to memory of 2992	1524	mscorsvw.exe	42
PID 1524 wrote to memory of 2992	1524	mscorsvw.exe	42
PID 1524 wrote to memory of 2992	1524	mscorsvw.exe	42
PID 1524 wrote to memory of 1764	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 1764	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 1764	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 3064	1524	mscorsvw.exe	44
PID 1524 wrote to memory of 3064	1524	mscorsvw.exe	44
PID 1524 wrote to memory of 3064	1524	mscorsvw.exe	44
PID 1524 wrote to memory of 1812	1524	mscorsvw.exe	45
PID 1524 wrote to memory of 1812	1524	mscorsvw.exe	45
PID 1524 wrote to memory of 1812	1524	mscorsvw.exe	45
PID 1524 wrote to memory of 2944	1524	mscorsvw.exe	46
PID 1524 wrote to memory of 2944	1524	mscorsvw.exe	46
PID 1524 wrote to memory of 2944	1524	mscorsvw.exe	46
PID 1524 wrote to memory of 2188	1524	mscorsvw.exe	47
PID 1524 wrote to memory of 2188	1524	mscorsvw.exe	47
PID 1524 wrote to memory of 2188	1524	mscorsvw.exe	47
PID 1524 wrote to memory of 1908	1524	mscorsvw.exe	48
PID 1524 wrote to memory of 1908	1524	mscorsvw.exe	48
PID 1524 wrote to memory of 1908	1524	mscorsvw.exe	48
PID 1524 wrote to memory of 2600	1524	mscorsvw.exe	49
PID 1524 wrote to memory of 2600	1524	mscorsvw.exe	49
PID 1524 wrote to memory of 2600	1524	mscorsvw.exe	49
PID 1524 wrote to memory of 2824	1524	mscorsvw.exe	50
PID 1524 wrote to memory of 2824	1524	mscorsvw.exe	50
PID 1524 wrote to memory of 2824	1524	mscorsvw.exe	50
PID 1524 wrote to memory of 1456	1524	mscorsvw.exe	51
PID 1524 wrote to memory of 1456	1524	mscorsvw.exe	51
PID 1524 wrote to memory of 1456	1524	mscorsvw.exe	51
PID 1524 wrote to memory of 1776	1524	mscorsvw.exe	52
PID 1524 wrote to memory of 1776	1524	mscorsvw.exe	52
PID 1524 wrote to memory of 1776	1524	mscorsvw.exe	52
PID 1524 wrote to memory of 2788	1524	mscorsvw.exe	53
PID 1524 wrote to memory of 2788	1524	mscorsvw.exe	53
PID 1524 wrote to memory of 2788	1524	mscorsvw.exe	53
PID 1524 wrote to memory of 2336	1524	mscorsvw.exe	54
PID 1524 wrote to memory of 2336	1524	mscorsvw.exe	54
PID 1524 wrote to memory of 2336	1524	mscorsvw.exe	54
PID 1524 wrote to memory of 1704	1524	mscorsvw.exe	55
PID 1524 wrote to memory of 1704	1524	mscorsvw.exe	55
PID 1524 wrote to memory of 1704	1524	mscorsvw.exe	55
PID 1524 wrote to memory of 448	1524	mscorsvw.exe	56
PID 1524 wrote to memory of 448	1524	mscorsvw.exe	56
PID 1524 wrote to memory of 448	1524	mscorsvw.exe	56
PID 1524 wrote to memory of 3024	1524	mscorsvw.exe	57
PID 1524 wrote to memory of 3024	1524	mscorsvw.exe	57
PID 1524 wrote to memory of 3024	1524	mscorsvw.exe	57
PID 1524 wrote to memory of 2344	1524	mscorsvw.exe	58

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\cc4f93a10c1e554371fab1900c0767b2.exe
"C:\Users\Admin\AppData\Local\Temp\cc4f93a10c1e554371fab1900c0767b2.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 168 -NGENProcess 16c -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 168 -NGENProcess 16c -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 1d8 -NGENProcess 18c -Pipe 158 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 22c -NGENProcess 21c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 21c -NGENProcess 1dc -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 21c -NGENProcess 22c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 204 -NGENProcess 23c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 23c -NGENProcess 21c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 164 -NGENProcess 248 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 248 -NGENProcess 220 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 23c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 164 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 254 -NGENProcess 220 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 220 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 25c -NGENProcess 164 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 164 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 264 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 220 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 220 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 274 -NGENProcess 25c -Pipe 164 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 22c -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 288 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 22c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 22c -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 294 -NGENProcess 1dc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 288 -NGENProcess 29c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 298 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 25c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a4 -NGENProcess 18c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 288 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
534KB

MD5
d988d62f0a834c1f89b6b9565d4b0f07

SHA1
2455bc2ff68f185b455e455fcdaa8d7b4d05f83e

SHA256
e03706ad99620f2d5273a5225bc78feb7a7572b96e49eeb084e209286f925b05

SHA512
a5bda16c620dfde28190d3c47954554518cbd9791072c064b7de7ce2bfc38c22d52103d167dae275876dd2fbae1b9f4762def65874952e4e931e5e33bf43c823

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
d2380df55a3bc9684ffda864e6c1433d

SHA1
f1c2a6a06492266be629e4bebadc780b0d587153

SHA256
12b2ab70143264d11a7a845acdda1aa0fc48f1bafd0df667bd56b80e602dcb7b

SHA512
d906ae12462578247dc3599495bdf79bca7d43737a1ecce2b2be9765039ea1e39a36f75f23366749a46169955e10ae439816c981869904567c23bf0301ea51da

Download Submit
C:\Users\Admin\AppData\Local\fpocjicc\cmd.exe

Filesize
732KB

MD5
a577d66c84b4ac9546b4e629bd1b9384

SHA1
4bfab5e689c30e251db9c5591332429768b4af66

SHA256
0406d7d2892cc03e2d248d24f028b3b22fb5701285b2fcf03b9cbfea361abf65

SHA512
e41ca28eb540e1a0ee199f5b89f458b0ab51241baf17b396ee7f7012fbbdd109e29072fc89c0ed6af30eeb27c0da34dc41cee8459d69af1ad0d35d483a078a1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a9e22d4b3694df562371b8964a54dd65

SHA1
1ba0bc6552e454ffd9d1773e3ebd561138fbffe8

SHA256
db04090e4242b55aa1b6453ffcd2f0a658d1b74064cf677170852a4c9fd21be9

SHA512
4cd45b52ecc4d384c47d63665bb7b3a766804de2f6bc18387ba1f3945439eaf5ea4b64c643c639de8bf8a35fd09c9c0e97c4dd8980ac8d22b565b954393d3c33

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
64ee8c0c879e5f85bbf15277a97c1656

SHA1
07360d9d5f32471647041af55cdca7e5c0f87d14

SHA256
79999010fedb815dd3892f450f42e3af3a81a7d58071156e62ea4a87cc1a4731

SHA512
0678cfbcc3d24435dbf98de5e628cde12b01e72de9c63922d2a03063642c801dcee8aa1ce2b83bae1b24869c81e8f5e8c9b3be8b33be51c5614ed024c68d4866

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
9466c7cb6c7709023078db1f36969891

SHA1
4ff76351d7de0db4e8fee6e438269c8e9d4dcc18

SHA256
a763fa1decf8149807178b5993a3ecc33a9bad4c8593ea8bddfe9552b98aa561

SHA512
f46b0279cbe66dcbb03fc7928519b4bc0f0e517e29cac0b3704f7806dbfeb95ef219c77cc6631e4fc2755798c06c9f5a92e3ca9ed4f7e06483ebb87e8a57825b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
10KB

MD5
1bfebe66080ded91149814f9b7f074dc

SHA1
55b640b466710b20b3eac4cf5a6824b767a8b9d2

SHA256
0d8acc782aa4d7c1e871c0f4a63ddac6292af5f101c2257abd1c2e2e76ab7e7e

SHA512
687cd67b434fa131bde7f959b36c09fedf60eb115ddce0925ea92b9d3cc5d77565793b5f4f26dcb799b530b934ef4bb837bf86ea5ceaa4fde5fe63725d52a349

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
453KB

MD5
faeef3a9891e5a3afdf13d0dba0d4007

SHA1
2af83ab97a6098b838f7159ecb4292a280845307

SHA256
c34cb1cc61003fbee5c0f30b7762800b9207da3c9132f5a0639a7ee95d139f83

SHA512
48130c1a248d840f72e8a018c81553964b9f4e835666765c707fb05431fa222cc560057321fa5cda48736a66b74d8ce0c988083b84529d9b4f431617f7b63c64

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
163bc6d70e189b242240ba0bdf592455

SHA1
65a917fbe9b9981cd79481b70494693b6eed0147

SHA256
962ddefac92c956078d8f4c816944a0e276f333e471c17b84b307d0033920ef4

SHA512
7df1f483662276278d829c0b06e0be2b7086c73f4cecad9899982efa70e58af0f59df96641fddbd1ca0b828a2065618b611614678cde2e4fd7b177e28aa41780

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
60b420cdcdad511ed902e12f34e086fe

SHA1
f7ed8cf181031e21cf4e59ebd289f525ffe1641a

SHA256
7c35392e5fc89cf0dbadf60cf9497ad740ae0cd38e8b77fb6fda21865256ae73

SHA512
0b06a1a6d83da9fa31959ee5d49281f1f71c33694131a7e11e1f5553279ea22eb63ab3d1058841f36e3e788b8d67f6d2cb0590a7991c2f3d5d7ee41ffe1aaddb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\be4700408340feed8d5c556943905615\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
a30aff1b1357e29d4224c972ae523f13

SHA1
f8fd4fbb4970c2f66911de4bb57e376ea4913f59

SHA256
ccf9e81c183394f9603b1da3349ffffed1d5f1ae1c83fe452c06cbd3bca604a2

SHA512
6247bb1df0517fcc24d4575a9bc2b40427d245b31dacb4a1b3ec36ed92da1329a8372455380adfbea157c5623ea1c57bf683abe0e78083f43406a5b1100db191

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e3287d12cfca8a073ccc813a6e1d87f1\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
611d178b2b22d386990471aac246d6e9

SHA1
6f92ea113f832a98d1131c60905c267afc821b75

SHA256
c2aa219bac60cb8c97afa3a874e33a1f0cbe3ef4cc0b44f61e849a2bd975a982

SHA512
2c95deb282fa3d93ff570b0d538a8715760c2d9d91f2dedaaa8097231e8d85dd3ae392c28e76cbc3d81920d7b378ab898b10595b880e796bb2a7fd43ad4c7ac7

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
d85c6294121752505080ccd289b0760a

SHA1
abfb906b82aefa6fccebd6eee0c409f2d275e701

SHA256
0d219d4f80b8836a1cb186cf0e414769a447bb30cbffd62a1b7c89f0e9861855

SHA512
c2c43618970c85c654b9b3f5e4556fccf6344999e986684d41fdb02c97ed15138ca20f200b089d188c0c4e74b062223bc3a4d681baedd86e63a4b2c020199abd

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
512KB

MD5
e7eb932abd23f2d211a804b12f0ab5d0

SHA1
6e7993073fcbf330cacfb0fb1ee1af64ca58c999

SHA256
17bf69e0f0828d4d9781bc96c7fc0d4888b832c15492ea6b1254727e7961af32

SHA512
2b38d9cac46901b721a9eb789944ff406290af2bf185646d86b653565548dfa25fb76a793014e21d7afb3732e6d05f98fe90852c33395d072cdc0b7f646de58e

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
9bd1e2c41a564daaa37d8f5a61d6c601

SHA1
09a1247aa752c612f1c9d631ea15ad2f67fa4fcb

SHA256
6777552299bb8b3a0045422cc1740d226b30a33145f974a958b72c044bc61fd2

SHA512
cc0f24b2eae31532bd9eb530e77fe2206fe74ab29a61d37251217f0b789357a5d44be3c6bf8364a1135c3e54f866c9f3fbf62d7b50a9e2bf17ff438d2faa3367

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
241a8c875950691bc03798366808f043

SHA1
6db5f620916a80640788b0b86a3220af29c8b058

SHA256
b386c90a05702e97337f4fbf9e85eea9a342f2f12751d5a0c32e4f1473a8b205

SHA512
580186266c7ecd8e7dd3fe4ceed9156f11bfb6277efc06e321a2c06d0210df0393565232cae1c34b0e52b7a4215b1cec7a7c0f730e40a88e3c22156ddabc8f42

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
4f7ae6ba1ddfd7291e7c01c8e9dce855

SHA1
97e65e3ab77c46b6e952011d54404294843674e0

SHA256
a385c0c40d8437db457c670856042a2e5f1ef3a798dd5eda1857e0bdefc75efb

SHA512
002acc9698735051e4d7b782068b0da6d08c92fbcf889a0772cad5c03cec5dd97c76f57701ef64a7031ade65a451ef531b29acb0995a74a3b322ffc065e727dc

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
0e0c0b800d3d57752d696af51142f21e

SHA1
290627d26725b4eb7e3f9286072cf69573981d68

SHA256
fe9bf6590db8b337738468daba72bf807e1ccb23448df50e1fa4368666a19f33

SHA512
a6f852b4e2c52aa74e09bfef751f821d12ddccfd9c8c92d6c555ca1048007e9006a2955537ba5a7cca6fbf256c93485c40baf09b62b598045cb77bd5e319d240

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP416.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB66.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE447.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE9F2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEFBC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF3D1.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF7A8.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFFD2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
memory/584-153-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/584-154-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/584-143-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/584-135-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/584-136-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1052-141-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1052-133-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1052-142-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1052-117-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1052-115-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1524-175-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1524-72-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1524-71-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1628-277-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/1628-280-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1628-274-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1628-275-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1628-276-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/1628-278-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/1628-282-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/1764-307-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1764-311-0x0000000000440000-0x00000000004C0000-memory.dmp

Filesize
512KB

Download
memory/1764-312-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/1764-310-0x000007FEF46A0000-0x000007FEF503D000-memory.dmp

Filesize
9.6MB

Download
memory/1764-309-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/1764-305-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1884-283-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1884-285-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/1884-286-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/1884-284-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/1884-288-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/1884-289-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/1884-281-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2108-49-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2108-57-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2108-50-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2248-32-0x000000013F260000-0x000000013F360000-memory.dmp

Filesize
1024KB

Download
memory/2248-1-0x000000013F260000-0x000000013F360000-memory.dmp

Filesize
1024KB

Download
memory/2248-0-0x000000013F260000-0x000000013F360000-memory.dmp

Filesize
1024KB

Download
memory/2248-3-0x000000013F260000-0x000000013F360000-memory.dmp

Filesize
1024KB

Download
memory/2420-34-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/2420-41-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/2420-33-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/2476-270-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2476-273-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2476-269-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2476-272-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2584-17-0x00000000FF4D0000-0x00000000FF59D000-memory.dmp

Filesize
820KB

Download
memory/2584-18-0x00000000FF4D0000-0x00000000FF59D000-memory.dmp

Filesize
820KB

Download
memory/2584-58-0x00000000FF4D0000-0x00000000FF59D000-memory.dmp

Filesize
820KB

Download
memory/2584-111-0x00000000FF4D0000-0x00000000FF59D000-memory.dmp

Filesize
820KB

Download
memory/2584-116-0x00000000FF4D0000-0x00000000FF59D000-memory.dmp

Filesize
820KB

Download
memory/2636-25-0x000000013F100000-0x000000013F1C6000-memory.dmp

Filesize
792KB

Download
memory/2636-26-0x000000013F100000-0x000000013F1C6000-memory.dmp

Filesize
792KB

Download
memory/2636-132-0x000000013F100000-0x000000013F1C6000-memory.dmp

Filesize
792KB

Download
memory/2992-299-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2992-290-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2992-291-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2992-292-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2992-297-0x0000000003680000-0x0000000003700000-memory.dmp

Filesize
512KB

Download
memory/2992-298-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download
memory/2992-304-0x000000013FEA0000-0x000000013FF77000-memory.dmp

Filesize
860KB

Download
memory/2992-300-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2992-301-0x0000000000420000-0x0000000000468000-memory.dmp

Filesize
288KB

Download
memory/2992-302-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2992-306-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

Filesize
9.6MB

Download