6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
Size

1.8MB
MD5

4fb5675734d0fc9df83a478873acdb72
SHA1

07a28ec3a1ba3e49dca2307b8d1d9558366ed973
SHA256

6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be
SHA512

227814629df387e1ce862de7e9b17f2056ed931a07246322167b65d217080468e5d32afdd5870995ca0a448c0d90816348c29a7fe21677d80667ab54a59e822d
SSDEEP

49152:Hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAfisGcnlQHPxi:HvbjVkjjCAzJknlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2976	alg.exe
2676	aspnet_state.exe
3016	mscorsvw.exe
1904	mscorsvw.exe
1932	mscorsvw.exe
2932	mscorsvw.exe
1720	ehRecvr.exe
2248	ehsched.exe
1728	elevation_service.exe
1488	IEEtwCollector.exe
1160	GROOVE.EXE
1516	maintenanceservice.exe
880	msdtc.exe
2904	msiexec.exe
2252	OSE.EXE
2848	OSPPSVC.EXE
2452	perfhost.exe
1936	locator.exe
1924	snmptrap.exe
2804	vds.exe
2336	vssvc.exe
848	wbengine.exe
2968	WmiApSrv.exe
1768	wmpnetwk.exe
552	SearchIndexer.exe
584	dllhost.exe
3040	mscorsvw.exe
2756	mscorsvw.exe
2488	mscorsvw.exe
2316	mscorsvw.exe
3020	mscorsvw.exe
288	mscorsvw.exe
1016	mscorsvw.exe
2472	mscorsvw.exe
1184	mscorsvw.exe
2024	mscorsvw.exe
268	mscorsvw.exe
1080	mscorsvw.exe
2560	mscorsvw.exe
1676	mscorsvw.exe
936	mscorsvw.exe
884	mscorsvw.exe
2504	mscorsvw.exe
1712	mscorsvw.exe
2484	mscorsvw.exe
936	mscorsvw.exe
2912	mscorsvw.exe
1604	mscorsvw.exe
1016	mscorsvw.exe
3020	mscorsvw.exe
2924	mscorsvw.exe
1204	mscorsvw.exe
1440	mscorsvw.exe
2544	mscorsvw.exe
2772	mscorsvw.exe
1132	mscorsvw.exe
2864	mscorsvw.exe
2972	mscorsvw.exe
2504	mscorsvw.exe
2296	mscorsvw.exe
2188	mscorsvw.exe
2772	mscorsvw.exe
1412	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2904	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
752	Process not Found
480	Process not Found
1132	mscorsvw.exe
1132	mscorsvw.exe
2972	mscorsvw.exe
2972	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
2772	mscorsvw.exe
2772	mscorsvw.exe
2864	mscorsvw.exe
2864	mscorsvw.exe
1740	mscorsvw.exe
1740	mscorsvw.exe
1020	mscorsvw.exe
1020	mscorsvw.exe
2772	mscorsvw.exe
2772	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
2348	mscorsvw.exe
2348	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
2568	mscorsvw.exe
2568	mscorsvw.exe
3032	mscorsvw.exe
3032	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\4ab1358156fe8faa.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\goopdateres_en.dll	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\goopdateres_mr.dll	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\GoogleUpdateOnDemand.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\goopdateres_de.dll	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\goopdateres_iw.dll	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\GoogleUpdateBroker.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1D5.tmp\goopdateres_zh-CN.dll	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C01.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3E4B0DB6-E6F3-42DE-AFFC-B3107D310191}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8C96.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP899A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9914.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F2C.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP167D.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8F45.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10D2.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9453.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
884	ehRec.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe
1728	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2352	6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: 33	952	EhTray.exe
Token: SeIncBasePriorityPrivilege	952	EhTray.exe
Token: SeDebugPrivilege	884	ehRec.exe
Token: SeRestorePrivilege	2904	msiexec.exe
Token: SeTakeOwnershipPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2904	msiexec.exe
Token: 33	952	EhTray.exe
Token: SeIncBasePriorityPrivilege	952	EhTray.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe
Token: SeBackupPrivilege	848	wbengine.exe
Token: SeRestorePrivilege	848	wbengine.exe
Token: SeSecurityPrivilege	848	wbengine.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: 33	1768	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1768	wmpnetwk.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeManageVolumePrivilege	552	SearchIndexer.exe
Token: 33	552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	552	SearchIndexer.exe
Token: SeDebugPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeDebugPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
952	EhTray.exe
952	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
952	EhTray.exe
952	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2584	SearchProtocolHost.exe
2584	SearchProtocolHost.exe
2584	SearchProtocolHost.exe
2584	SearchProtocolHost.exe
2584	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe
1040	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 3040	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 3040	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 3040	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 3040	1932	mscorsvw.exe	57
PID 552 wrote to memory of 2584	552	SearchIndexer.exe	58
PID 552 wrote to memory of 2584	552	SearchIndexer.exe	58
PID 552 wrote to memory of 2584	552	SearchIndexer.exe	58
PID 552 wrote to memory of 2292	552	SearchIndexer.exe	59
PID 552 wrote to memory of 2292	552	SearchIndexer.exe	59
PID 552 wrote to memory of 2292	552	SearchIndexer.exe	59
PID 1932 wrote to memory of 2756	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 2756	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 2756	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 2756	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 2488	1932	mscorsvw.exe	61
PID 1932 wrote to memory of 2488	1932	mscorsvw.exe	61
PID 1932 wrote to memory of 2488	1932	mscorsvw.exe	61
PID 1932 wrote to memory of 2488	1932	mscorsvw.exe	61
PID 1932 wrote to memory of 2316	1932	mscorsvw.exe	62
PID 1932 wrote to memory of 2316	1932	mscorsvw.exe	62
PID 1932 wrote to memory of 2316	1932	mscorsvw.exe	62
PID 1932 wrote to memory of 2316	1932	mscorsvw.exe	62
PID 1932 wrote to memory of 3020	1932	mscorsvw.exe	63
PID 1932 wrote to memory of 3020	1932	mscorsvw.exe	63
PID 1932 wrote to memory of 3020	1932	mscorsvw.exe	63
PID 1932 wrote to memory of 3020	1932	mscorsvw.exe	63
PID 1932 wrote to memory of 288	1932	mscorsvw.exe	64
PID 1932 wrote to memory of 288	1932	mscorsvw.exe	64
PID 1932 wrote to memory of 288	1932	mscorsvw.exe	64
PID 1932 wrote to memory of 288	1932	mscorsvw.exe	64
PID 1932 wrote to memory of 1016	1932	mscorsvw.exe	65
PID 1932 wrote to memory of 1016	1932	mscorsvw.exe	65
PID 1932 wrote to memory of 1016	1932	mscorsvw.exe	65
PID 1932 wrote to memory of 1016	1932	mscorsvw.exe	65
PID 552 wrote to memory of 1040	552	SearchIndexer.exe	66
PID 552 wrote to memory of 1040	552	SearchIndexer.exe	66
PID 552 wrote to memory of 1040	552	SearchIndexer.exe	66
PID 1932 wrote to memory of 2472	1932	mscorsvw.exe	67
PID 1932 wrote to memory of 2472	1932	mscorsvw.exe	67
PID 1932 wrote to memory of 2472	1932	mscorsvw.exe	67
PID 1932 wrote to memory of 2472	1932	mscorsvw.exe	67
PID 1932 wrote to memory of 1184	1932	mscorsvw.exe	68
PID 1932 wrote to memory of 1184	1932	mscorsvw.exe	68
PID 1932 wrote to memory of 1184	1932	mscorsvw.exe	68
PID 1932 wrote to memory of 1184	1932	mscorsvw.exe	68
PID 1932 wrote to memory of 2024	1932	mscorsvw.exe	69
PID 1932 wrote to memory of 2024	1932	mscorsvw.exe	69
PID 1932 wrote to memory of 2024	1932	mscorsvw.exe	69
PID 1932 wrote to memory of 2024	1932	mscorsvw.exe	69
PID 1932 wrote to memory of 268	1932	mscorsvw.exe	70
PID 1932 wrote to memory of 268	1932	mscorsvw.exe	70
PID 1932 wrote to memory of 268	1932	mscorsvw.exe	70
PID 1932 wrote to memory of 268	1932	mscorsvw.exe	70
PID 1932 wrote to memory of 1080	1932	mscorsvw.exe	71
PID 1932 wrote to memory of 1080	1932	mscorsvw.exe	71
PID 1932 wrote to memory of 1080	1932	mscorsvw.exe	71
PID 1932 wrote to memory of 1080	1932	mscorsvw.exe	71
PID 1932 wrote to memory of 2560	1932	mscorsvw.exe	72
PID 1932 wrote to memory of 2560	1932	mscorsvw.exe	72
PID 1932 wrote to memory of 2560	1932	mscorsvw.exe	72
PID 1932 wrote to memory of 2560	1932	mscorsvw.exe	72
PID 1932 wrote to memory of 1676	1932	mscorsvw.exe	73
PID 1932 wrote to memory of 1676	1932	mscorsvw.exe	73
PID 1932 wrote to memory of 1676	1932	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe
"C:\Users\Admin\AppData\Local\Temp\6f2ec0c7a992075a45c64161f0427bb8b1d19d8edaed74b15daecf11a9db26be.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 228 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2b4 -NGENProcess 2b8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 228 -NGENProcess 2b8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2e0 -NGENProcess 1c4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 308 -NGENProcess 228 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 300 -NGENProcess 1f8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2f0 -NGENProcess 334 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 338 -NGENProcess 1f8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 338 -NGENProcess 350 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 358 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 358 -NGENProcess 360 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 35c -NGENProcess 368 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 340 -NGENProcess 360 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 340 -NGENProcess 35c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 374 -NGENProcess 360 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 374 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 37c -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 37c -NGENProcess 344 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 360 -NGENProcess 368 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 360 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 350 -NGENProcess 38c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 350 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 30c -NGENProcess 238 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 338 -NGENProcess 278 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 338 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 358 -NGENProcess 2a4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 1f8 -NGENProcess 2f8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 308 -NGENProcess 364 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 304 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 168 -NGENProcess 2dc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 2f4 -NGENProcess 338 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 350 -NGENProcess 308 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 308 -NGENProcess 210 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 388 -NGENProcess 25c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 38c -NGENProcess 25c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 364 -NGENProcess 25c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 380 -NGENProcess 2d0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 398 -NGENProcess 368 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 388 -NGENProcess 39c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 388 -NGENProcess 2dc -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 2dc -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 350 -NGENProcess 39c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f4 -NGENProcess 388 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 3a8 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 3a0 -NGENProcess 39c -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 340 -NGENProcess 398 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 210 -NGENProcess 3ac -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 388 -NGENProcess 3b0 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 398 -NGENProcess 3b4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 398 -NGENProcess 350 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 350 -NGENProcess 308 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 418 -NGENProcess 3fc -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 308 -NGENProcess 3fc -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 3fc -NGENProcess 410 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3b8 -NGENProcess 430 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 33c -NGENProcess 40c -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 40c -NGENProcess 3f8 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f8 -NGENProcess 3b8 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 450 -NGENProcess 424 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f8 -NGENProcess 39c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 410 -NGENProcess 438 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 46c -NGENProcess 410 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 410 -NGENProcess 33c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 410 -NGENProcess 464 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 39c -NGENProcess 454 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 39c -NGENProcess 3b8 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 470 -NGENProcess 2f4 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 454 -NGENProcess 484 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 3b8 -NGENProcess 48c -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 3b8 -NGENProcess 2f4 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 484 -NGENProcess 494 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2f4 -NGENProcess 46c -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 4a0 -NGENProcess 464 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 45c -NGENProcess 4a8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 48c -NGENProcess 4a8 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 45c -NGENProcess 490 -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 3b8 -NGENProcess 48c -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 494 -NGENProcess 478 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4ac -NGENProcess 488 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 454 -NGENProcess 478 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b0 -NGENProcess 4b8 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 494 -NGENProcess 4bc -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 478 -NGENProcess 4c0 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 3b8 -NGENProcess 4bc -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4a0 -NGENProcess 4c8 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 454 -NGENProcess 4bc -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 4cc -NGENProcess 3b8 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4e4 -NGENProcess 4c8 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 454 -NGENProcess 4f0 -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 454 -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 4e4 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 500 -NGENProcess 4dc -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  PID:588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 228 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1720

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:2292
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1040

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
3b0ae1b9be0894a93d12c445ca20e4ce

SHA1
27fb7fa9153db697215a3d9e4651d5df0051a952

SHA256
5a5668a7bfd3216fbe2802a74992fb85c6900f74c7520c5e4ececb816fb7a2a4

SHA512
a7cf474d60efdd50c35e7d9279871bb77c0df60ace3546acadc3519168ebdb1042761ff9c650a94e427038eca3fde08b79109314440e89669a97332b6bfd9847

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
ebb004a37f7f2a079cc95198e5a95b26

SHA1
54a228f86e185e1666e57c42f4b5bde274ea9b44

SHA256
86f192e5f4979b69f8f2236aa5e8c2c76483dc48342cc10a8cb0fde238c3a8cc

SHA512
0808e703f38801feeae3fc0682182bfeae0e0c3b0487ed04ad13be3fe917e1e1c7aa4843913475d201b7f86ba50172f20a0017a4926ea727888f593dd1d2e688

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2ffafd64f12a3e94316938bf88d6b0b8

SHA1
f8ca940c1ca0994424a6a42816ebd3dbbfb61fab

SHA256
1ce69463071f9dc52e4a1cb6463c47c726a5f09647a71f64bc02316bec103ef5

SHA512
e9d72a795cf606ae2c379e972f9ab038844b1c83cae58556d7c4ca57d4489b8a7288ad5bd1760637255f1ed061478298c4fb5b0011833fe2df71276e00ef4c98

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
50d1779cd354f41b5e81d5f60fed1af1

SHA1
d4d7486741f6c7589fa0a7500d538d0bbaea2476

SHA256
64a9f1a5268eaa8cebf668cbff428b0e5246ececa18fd85b4f297d6e5814896b

SHA512
0ee7e2b7adc26baa7b6a887946bb5aef6103116d58bde8d434a2e79b56c41efb5d02fc699b1967338b478081c852fd1ec840403e1077f2a464066b82278b529d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
626cfdba4ea633100789837cd4fbb47f

SHA1
51d13e8e0369f4aec1e94608113b78f9c3269791

SHA256
aaf5181a20b16b4058bbb4ecc6e9b1a5a6ab52bc4a9018599bd029ec115c1ed4

SHA512
c4b05062cd0db953cef2c8375045fa6cb45b55212dd65904e697149f557c93e03a9c0a6f9909e9c27fecb945c4f5a28a97291d34f70d1bdaf32a6295dd257fd0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
da351ec809ccb5dc5795b3710a93249c

SHA1
9f617b5f32f12f95ba76d3efdc6e50ce36704f4b

SHA256
5af64be81665a7fe5c7f1752acd226aa9a160179b3dc15600d49b32e6293e622

SHA512
bd4465c46d5beb27c1a495473650eee70233f8e568f5b8ba13a04d5eafad05c19926bbbbf7860bffd3fc6c904cde7f0062bab8de4c9b6c86442a0f1051e105d0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
cd4d4f6cb2d166a4dae08a25f9417257

SHA1
e611166583ee62b0e4c7d1963fe056ca5515aa80

SHA256
ea306ed23c83d3db236f1a01050eb950a14e9c99374b58b4ae21d16ca94c98a5

SHA512
4c73833dcb3fed795454f5a2d4d2f08577e4b90c6a8a6b62f043be2e9ed246ceaf782a5e9be4968c02770b50c59a43b595ac2a90dadd0d98bbc69dbcae281a68

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
78ad8be2fc80e00b1c978afff92ed34b

SHA1
050460c1b1fdc384d2025aca22e98def24b350ce

SHA256
82229ccd96c2ba22d75943b537f2f2ae033f82bd6e801112477db04e6b1e20f1

SHA512
44d6f4fc8a64ddaefb1f13bbde141201f4b8a6d7f85e7ef079372bfe0dc6b1fb826373d70e7449e099d3f311d52700a2c0215159cb36e35cecb16ae9516c09ae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5deb571f75e78c8acadd11512edc88f2

SHA1
72e81e956fe9a4604f57a2ca571c3fddc358dd7f

SHA256
c44fb8a1c3f38a52f2f7dd11ce4f8eb912343a1bab068cf801225f0a4ad8e643

SHA512
35972e9a53d839e10d55c5541346471728381198a45356593a3bc5ce200152a86100adc99926490407f386be10f2b58c77dfd00a807972a717a1b96138a2aa97

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
85c143875187c8d35aed312454d8edce

SHA1
f6b4392c43268e787fa76b41ea5dc3f0d13f05d6

SHA256
379ca2b13da0e1b29dc8436f0538740f6bc3dbb2e0e96e1bd9e6d9c47358f588

SHA512
250f37ab1744785844eac2ad7f3f2ef9736d2d14cc72a94bfa9f40e77eef54da07003095d97d1acf0b326109c7e87d6355144dabbaf30c323f6386fbb3143d24

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
797286f6bd275073e20ba1d6dfc4ff1d

SHA1
1f889d4ed1188976f33ea15dd44f652dfe1225c0

SHA256
b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459

SHA512
6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000

Filesize
240B

MD5
7ca2da6f1e7bca562d7d9376700a912f

SHA1
67feaa004013eee76282e3b3fc196279f2577dcb

SHA256
04fd7654331261ff9ec331c31b238ba7770f082abfb817d7881813ec02084a4e

SHA512
4f2f67dee86af03dae15145649f5eb65cd158686381d26005b91aab89f017b692289050f0b1def00f8c2e724aedba4025db0baa6b55f76d402ded8006c48b38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
27d8deac9f6c31de190f6bbacf9c7ab7

SHA1
137973ba9405ca570949119160de64e52c7d5d27

SHA256
1c4e06ecffbba1f1378a0f966b4b1769e145af793961bb6a3fca09b08a3bff05

SHA512
a1aca163adeca9743746b6a91596caa5785e13a30bc5f6f837e46653a06250633c02f9d082adccba4e46ec6d5c55629f51c49fc03e6b1979bca61548ce0ade54

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
fba43cf7c6091521bf7a4d81241b4e05

SHA1
5f8f9503902ab8ea886aa73ec3c37345b172c794

SHA256
32dcfd0268f64c925beaaf96c3be61c0d6bfca11ec7be17ff8660ffe8a706785

SHA512
f5c3dbfc7a5b83cc991b570d4c14da5494575dff8dd545e701f60f1b5ec618e1c0b97b067441e3ef9279a9463df5f4440091f3b8dac1c217b2cb3c0535061f30

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8e7a66ec5558ca15de4dead04dc84717

SHA1
3f19c13a443d79d147ab3ffcd7db1768f28c8f0f

SHA256
d7074e2a027c4e58cb786d5cf78a877841815a2d6e8f3d301351905e66521085

SHA512
3687218a6b287ccb6f688a631cc8ee318bba10e9ccb5a1c9e2730ed703bcc06cc9ca2773b56a1119517ad53ea38f4ebadf9732ec79428bd055a4eaad07aa5482

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
8238a58f34d25366e224e0abc7222f65

SHA1
8e7df0a54b26e0a6d82f1a56b95ec28490688575

SHA256
bbc35aff959055d134aba3400778a8c8aa2562924bc97a11217345d945d4cefa

SHA512
0ec3dd429b54fde5ae8fc6b7aea6fc4c5c897726c264c450888e0b2e73d821df23fca496048b1919d7bf83a4de77fdef951eb470dccb3ad62bb14c2b78adbbbc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7dd51f4854a17a1dfb689c96c24edc15

SHA1
3e451b2e16890e07a0a8531f002d7cc9154710e6

SHA256
cdec887de34453bf9f0e5d7d156585423c3f3d49887084cb2330e384f6caa4e9

SHA512
41b916494c35af9a6caf7d1099e663f580cf5e4c291eb7c5bffca08b645f655a1d4a7c95d01f0c6c2947f7d4bfb986700e91253ebdfcfc75112a5cdc44d0b375

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
960ce66292dd280257ec56af50740583

SHA1
0aea55884f9d730c727b6dea55229cf2bbf179d4

SHA256
1cbdd36c70b460d30ac2849ebb4d300491f5f62dfd8501b23d3a54d93cd61bad

SHA512
a72b8b6301c3e0c15e64d0bb6f275a8a20029566fc49e2532f6cdc0926e66ed71b328d6cc6c054be28dccfdb57de477df4b62c9981912cc4b4eea44f96b9edfc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7f4975cbb714d48721f651a82d16bdc8

SHA1
c8a6179fea76d07b7ba13a845acd08c3254e53bc

SHA256
a7a472606e15bee509fae7b0d6cd1883d327f2c1afc56af178e7b7b0eda18383

SHA512
d9007faa8a62079e3f0160308eefd7b9afcd4b175bb5c84f49cc6d22aec387c080905d46dfa5d64bb45963a2624470e185e78845c14f3b5bcda90f99d111c786

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\4ab1358156fe8faa.bin

Filesize
12KB

MD5
769531a129026705c13341654f8d6b72

SHA1
720cc7a7647cac873b98b6efa01e4a95538dc495

SHA256
4cbadf9bea6fb823a6a796f5116fce5cc8a54f222ddb98612f78f2b12ce3cc8f

SHA512
47afda09f0fac1357fdb141803618edf54f35cfe3bb7bcfd2b056e0c4252f97cff62ef1767cb799b7ad3ca127473340cb1c9d0f4e864f52f934dcf2c3542f798

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
001fd860543319844ef73ee59edacfe0

SHA1
91fa1c26352740afe7c6924197065dc3e0243e4b

SHA256
eaff5c93e48f7fc405c7ba56caad11b11644f1d3f7e2bde0865b477a50d3f664

SHA512
b9c76ff51efeccd51bffcac50ae1aa249d9e03b1ef8f50391e74db95f73a49fa7c9b04b0a4fb8b5261e345554ea1c2be767f29d68e71bb96ba795002c8b34721

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
f47c04b1cfcd6100d95cbb9edaad053d

SHA1
609e64b0ffe4f65a6267575a25865cf36357a7a4

SHA256
17bde2c268620744a656b4581061eb5b85c67dd4b646951ee06805006bfb4fb5

SHA512
6c6f4118045f4369aed77ebadd7c70f0917e7ff29a87c53083b3202098f999ab7b555cb46b33d27eab1f5563187cb50336c9ceef1bc47912125af1d184bb75d1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
7dee33c05c56dd056ed633f21eb87d62

SHA1
bfb649f07bafca5b4a8e2a566287573dda542182

SHA256
cbd68f396306751e5bbf91b913fdd808d79999a5f02b88fe0f41b232b4a4a1ed

SHA512
8b857b36dba14d4d1c8f9c15c66ec73e135cab32b213457a19637d821ab00ff1d4765ca2285fcc555c5d9edafa308902c025a982d15ab4ece4811fd1c0007ad6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
6d6fdcf5964b23a3030514f8ccc337d2

SHA1
6647bc7e957432c23f2b93f43a5c82189c3eb574

SHA256
c7b45e281d67863b586ddd6fd2d80a385e9ce4443783ae60c9add53a689f27e0

SHA512
4ea959b57f44271a5f81ed852dc2e37192bd8ed131c98e0c38b027700e9d900854970704fc0dc88e574032a9ec19193606bcb647f23125094e1af715c658fc3f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
1fee3fa7d9742c8ab9e88f909361192e

SHA1
4c922e8e2736b71e38783f5ceeb956e62e085823

SHA256
b7bcdd2b991f82ce278383d16e0d47b83aa571f72ca1791bf6a57d07e914423e

SHA512
713dc232b2a39a423f7320e8cbdf363713fcd4a40de1008e4fb39c6481baf8a376c31e7dc24d879fb91d060810cc9577c332163aa281683afd9ba1f280f04ab2

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
e8a10541ab9b8cd41ba3893c3e9dd402

SHA1
2a2749ee20d73f5cabc458579fedc4b14aec0cfb

SHA256
801845456570cb818b04106795a2bed71335c9fb3df65272bc2c94ccae54ea1c

SHA512
ced59acaf4f3c47bba34853a8f0a393e8c72700760d0e83ddb4ab2bb918c85cdc6fca26b99ab48a12bbcb4fd5747d288b57900de6324112cb734307369e56b37

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
45800dcac7f59b0a07a2b8ff17e13858

SHA1
b544cef5d56d38784bb996e14fc8e76087f9164a

SHA256
496981fa801f09d3a894bd659ea57e3a3e374f30757a2f1983f017095b3f7bd2

SHA512
f06813192710970d1008b315dc889d1baf1cf2ad27d8d622bc5ce58d0e85a0bf54d4edae52ca92679786b91581bc04880e2082d3fd53d9ab75ceac8102175104

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
fe0acecc2e1864c85498a99157398762

SHA1
ec6f86a3bb429c8bd0291cc0531bfa7296a6b7f6

SHA256
ec5070db212b3f3f56726a726367726ad35ae159555297baca57f3c2fb09a337

SHA512
68ef3e61eaee65a6c973c9fc0642e1ae58640f12143e12b0918c9df079ecb022bfa19555b516e0225eaf03dcd9a18450c306309cb4f3854cd663912828f8f81a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
4e1864c0a63b8cbf3da321a19c402dba

SHA1
bd82b62676c1e54603162b32b18fd2b37bc5d0b9

SHA256
64449024b3e175e789a84eedeba991cdf336ee252470ced0c6d6dee780bc6a1a

SHA512
0649e44877f65d0b555e574dbeaf49a85e1494455af1590ba0139de3e361849e11d859eccf9638f01bdb5f4944c74cfb5118b200f7d0a9ecf7aec0bab09d59f4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
f8dbd1f6af6e8f2fb5b6ec34e1095de2

SHA1
6715fc987e91efdd91570d40a0dd26521b594a54

SHA256
175e18914eb1bc63fcec99f6ad056f1c8c69280c16655d2f2e1fce93f59f18aa

SHA512
de0e0d728271d59c1388db184804d0e269ec21039767a1609eae4e22a853284fe348782295b84634f2aa2c914c9b729fb7bf18deb4b3e6ae66385055585aa906

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
0cde1565cd1edb97c4ccb01f6f2cf9e7

SHA1
49346ac8baf26279c741439836fcd8c19600a953

SHA256
acdbf12bafef69def19ee6a0c95f96132cbe22d5b8585f86de0639ba5ab8055d

SHA512
390bd86298d147d1357d4980ac3dba69be59f8f11ce1ccf1da4118597e9d427f4630b6341fdf5b3bfb19e8e1d132683dce0ae07e9e407f46ec8caf0db4a17aad

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\924bfaf76497bff143e78a61c650124e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
b31f8a9c321f70de4ab2b73c610fb7c2

SHA1
c2fcd415676ef0d77b5bf749216aea6357c6f98c

SHA256
251f2cdb95dd3bc3b0c9a6ec466e3407acd192421e45d02da248dff28728793f

SHA512
3b5f063cb2cc5343f0c6e926b894384854718284dcc8225f92b19e15688a8fafebbe2286524d06b39c4ed73507718f146ca0485e5d226847c5d81b22bf64aa92

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9a47f7a8a270b891ff5fa8f47d9a7d62\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
45b5e89475d04337157c7b385f58ba81

SHA1
dd23b6d57f859f98a080d5c0ada7420527f2ea14

SHA256
02ef348274626ea2f6b2760369fb8acc6bfceefa69b4a328f478736a04345a86

SHA512
7226ca311a12d0cbc8415a34f2f448db7da0bf50057853469af15f4f3378899de0eb7d85699a9e66641ccf6a5ba4b66ba3d7ef05358c7c8aa21bb870282271b5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e4b498b209dc38111c1b2b09a01869cb\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
6042e0c68fdfa86bf768937f9ef48031

SHA1
856c651c3be2ffeb1c34c03258b0222b59fab0c2

SHA256
6d39c9e165a26117723534caaf1b25acb62a39a38af0bc22dd75856437947e69

SHA512
b8aa82b5a568efc8d7151478979bad6effadfdff82a9da19c62c8c790393711b643f26305a88776c5e000798e7e3fc7ceab95cfaf3af0d3d28923f3f7873c4a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
84bc4b9f2b7f805ede27961ffbdfdd9c

SHA1
0aa168ab75dd4fae338740660b0b93470dc6fd1b

SHA256
8f2b2cd2c212279a92ac573ba42fb3197c055684cdaac39678d409c36a976bae

SHA512
08f4b88c406c4298829c4eed70c2c3ef755ba8dd7ea0ee4f746e5dbe4e7ef5726484d824b7c0d93c133ee1b1c4670259402dde617f61d97f73694d4123730b76

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
e6919e3ec0c793f1ee7e509861e3662a

SHA1
f848b6e81eee0f0cb9b900d3d65852ca6991c5b9

SHA256
df293b61d9e679bf111a4370fd9e79696da1d6b38396379ebf03862b063f58ff

SHA512
9366f29e77843aafac71f1a7152f756fccbb4907b246923d8c95761f8e31f70982188ce19946c88b60d220e3bb0587e31027c9f9c33d661064d81bc4958a84cd

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
09af0c0bf5d676999a2c40d592bb1073

SHA1
bff05459a66c29c8206e557678a56712391418d7

SHA256
527fafc656b0bad1d987a90c801dd5e7727bb7c4233ebce480abdb5cb0744648

SHA512
4a03c0ab787112ffe3da8acc4621666ee06b3ad0673d372c2fa26464adbd74770a3d2c2971e6b6c3bd46052695e80912f913106090485074b078a426bdc669bf

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
812ea32b97620570e4d3b1bc05a424c1

SHA1
2fc88df05c6bce5654e5da012a66ffdbb395a7f0

SHA256
bb30e60a2ef54838e9117e05fadcd69d54d3562ce21f7d274364ce2e06e54d7f

SHA512
349c07cc5f90c0ad91bba8a2f8efe0e3b481e26755bde3725995c445c3dc490eae5a3afe1527a25f70043edf83df04cb855420e8fe25b71286f0ce361b2a10bc

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f93355e5506b54e72ef59eae6921178c

SHA1
9802bc0791a7e24e84ffbdaf28bf35a9f5cd937c

SHA256
3919a8130851c5189712a4d707c10cb64fe0af37da59b4e187652744692e362f

SHA512
9fa824995cf638769abc183bce84f2b3bc7ffffb3b6245d525ce702550f6e796a3202ab794601b8e1378fd8b0018a39516325ae4a017a506736a5dd5cfc8ecf8

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
2e8ba6e2f0b90eb46716f0edf3489fac

SHA1
d257dad6f5e5a1b48629f114d9bda2c3f3a9f6da

SHA256
c4a3428862b6f57fc4eb2603d364ed73bdda4983cc38bbd27a0448a3b93132ba

SHA512
d088657d7e86317cfa249ac58c3b416d8c132ebad0a7efdd36a5435fe1949b9c612414b18507694799018ebc6fb7ceb60553e52922fadeffff100862e8ebe434

Download Submit
memory/848-312-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/880-229-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/884-209-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/884-267-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/884-311-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/884-271-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/884-269-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/884-263-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/884-214-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/884-211-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/1160-203-0x0000000000410000-0x0000000000476000-memory.dmp

Filesize
408KB

Download
memory/1160-197-0x0000000000410000-0x0000000000476000-memory.dmp

Filesize
408KB

Download
memory/1160-202-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1160-259-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1488-193-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1516-216-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1516-230-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1516-231-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1516-221-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1720-151-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1720-152-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-176-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1720-205-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-158-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1720-178-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1720-175-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/1728-188-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1728-180-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1728-181-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1728-238-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1768-327-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1768-330-0x000007FEEF240000-0x000007FEEF2DE000-memory.dmp

Filesize
632KB

Download
memory/1768-319-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1904-103-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1904-148-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1924-295-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1932-111-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-187-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-117-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/1936-288-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2248-171-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2248-164-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2248-172-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2248-220-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2252-250-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2252-298-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2252-243-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2336-302-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2352-1-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2352-7-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2352-6-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2352-135-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2352-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2452-281-0x0000000000450000-0x00000000004B6000-memory.dmp

Filesize
408KB

Download
memory/2452-274-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2452-325-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2676-47-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2676-166-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2804-299-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2848-272-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2848-268-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2848-261-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2848-332-0x0000000074648000-0x000000007465D000-memory.dmp

Filesize
84KB

Download
memory/2848-309-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2848-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2848-285-0x0000000074648000-0x000000007465D000-memory.dmp

Filesize
84KB

Download
memory/2904-294-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/2904-284-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2904-240-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/2904-236-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2932-196-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2932-128-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2932-127-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2932-134-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2968-313-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2976-160-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2976-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3016-94-0x00000000003F0000-0x0000000000456000-memory.dmp

Filesize
408KB

Download
memory/3016-89-0x00000000003F0000-0x0000000000456000-memory.dmp

Filesize
408KB

Download
memory/3016-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3016-145-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download