e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe
Size

577KB
MD5

a327ac10a9efd79b8bebb7417ba940c9
SHA1

745835813c60ab30b2dfff2ee3a6e52f9443ad2e
SHA256

e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7
SHA512

984aca3af97b038af6f94f9ee19f97d1bb7b3aabfa0a686223a1952cdcdaa107086742f7d805ddee230804e1cb230d3b49ca70bdf7e7d4e44a23c3948cb77e5e
SSDEEP

12288:nMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:MSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
1836	alg.exe
2664	aspnet_state.exe
2464	mscorsvw.exe
2724	mscorsvw.exe
2824	elevation_service.exe
2864	GROOVE.EXE
1684	maintenanceservice.exe
1332	OSE.EXE
596	OSPPSVC.EXE
1780	mscorsvw.exe
2788	mscorsvw.exe
2572	mscorsvw.exe
2896	mscorsvw.exe
1628	mscorsvw.exe
2004	mscorsvw.exe
2244	mscorsvw.exe
2152	mscorsvw.exe
1168	mscorsvw.exe
2360	mscorsvw.exe
1520	mscorsvw.exe
1820	mscorsvw.exe
2648	mscorsvw.exe
1956	mscorsvw.exe
2892	mscorsvw.exe
1056	mscorsvw.exe
1536	mscorsvw.exe
1952	mscorsvw.exe
380	mscorsvw.exe
1856	mscorsvw.exe
2920	mscorsvw.exe
1580	mscorsvw.exe
1928	mscorsvw.exe
2656	mscorsvw.exe
2488	mscorsvw.exe
1952	mscorsvw.exe
2720	mscorsvw.exe
860	mscorsvw.exe
280	mscorsvw.exe
2660	mscorsvw.exe
2096	mscorsvw.exe
2728	mscorsvw.exe
3040	mscorsvw.exe
2896	mscorsvw.exe
3052	mscorsvw.exe
952	mscorsvw.exe
1664	mscorsvw.exe
960	mscorsvw.exe
2940	mscorsvw.exe
1612	mscorsvw.exe
1512	mscorsvw.exe
2660	mscorsvw.exe
2232	mscorsvw.exe
2728	mscorsvw.exe
2184	mscorsvw.exe
2140	mscorsvw.exe
1276	mscorsvw.exe
2244	mscorsvw.exe
2932	mscorsvw.exe
2212	mscorsvw.exe
2564	mscorsvw.exe
1712	mscorsvw.exe
2540	mscorsvw.exe
2380	mscorsvw.exe

Loads dropped DLL 37 IoCs

pid	Process
480	Process not Found
2660	mscorsvw.exe
2660	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
952	mscorsvw.exe
952	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
1712	mscorsvw.exe
1712	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2728	mscorsvw.exe
2728	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
1564	mscorsvw.exe
1564	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
1500	mscorsvw.exe
1500	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\55bf36f5bfe435d8.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\GroupRestart.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP167D.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18ED.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP146B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56D.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9FF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE05.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E79.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE6B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC02.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP751.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1304	e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeDebugPrivilege	1836	alg.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeDebugPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe
Token: SeShutdownPrivilege	2724	mscorsvw.exe
Token: SeShutdownPrivilege	2464	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1780	2464	mscorsvw.exe	37
PID 2464 wrote to memory of 1780	2464	mscorsvw.exe	37
PID 2464 wrote to memory of 1780	2464	mscorsvw.exe	37
PID 2464 wrote to memory of 1780	2464	mscorsvw.exe	37
PID 2464 wrote to memory of 2788	2464	mscorsvw.exe	38
PID 2464 wrote to memory of 2788	2464	mscorsvw.exe	38
PID 2464 wrote to memory of 2788	2464	mscorsvw.exe	38
PID 2464 wrote to memory of 2788	2464	mscorsvw.exe	38
PID 2464 wrote to memory of 2572	2464	mscorsvw.exe	39
PID 2464 wrote to memory of 2572	2464	mscorsvw.exe	39
PID 2464 wrote to memory of 2572	2464	mscorsvw.exe	39
PID 2464 wrote to memory of 2572	2464	mscorsvw.exe	39
PID 2464 wrote to memory of 2896	2464	mscorsvw.exe	40
PID 2464 wrote to memory of 2896	2464	mscorsvw.exe	40
PID 2464 wrote to memory of 2896	2464	mscorsvw.exe	40
PID 2464 wrote to memory of 2896	2464	mscorsvw.exe	40
PID 2464 wrote to memory of 1628	2464	mscorsvw.exe	41
PID 2464 wrote to memory of 1628	2464	mscorsvw.exe	41
PID 2464 wrote to memory of 1628	2464	mscorsvw.exe	41
PID 2464 wrote to memory of 1628	2464	mscorsvw.exe	41
PID 2464 wrote to memory of 2004	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2004	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2004	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2004	2464	mscorsvw.exe	42
PID 2464 wrote to memory of 2244	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 2244	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 2244	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 2244	2464	mscorsvw.exe	43
PID 2464 wrote to memory of 2152	2464	mscorsvw.exe	44
PID 2464 wrote to memory of 2152	2464	mscorsvw.exe	44
PID 2464 wrote to memory of 2152	2464	mscorsvw.exe	44
PID 2464 wrote to memory of 2152	2464	mscorsvw.exe	44
PID 2464 wrote to memory of 1168	2464	mscorsvw.exe	45
PID 2464 wrote to memory of 1168	2464	mscorsvw.exe	45
PID 2464 wrote to memory of 1168	2464	mscorsvw.exe	45
PID 2464 wrote to memory of 1168	2464	mscorsvw.exe	45
PID 2464 wrote to memory of 2360	2464	mscorsvw.exe	46
PID 2464 wrote to memory of 2360	2464	mscorsvw.exe	46
PID 2464 wrote to memory of 2360	2464	mscorsvw.exe	46
PID 2464 wrote to memory of 2360	2464	mscorsvw.exe	46
PID 2464 wrote to memory of 1520	2464	mscorsvw.exe	47
PID 2464 wrote to memory of 1520	2464	mscorsvw.exe	47
PID 2464 wrote to memory of 1520	2464	mscorsvw.exe	47
PID 2464 wrote to memory of 1520	2464	mscorsvw.exe	47
PID 2464 wrote to memory of 1820	2464	mscorsvw.exe	48
PID 2464 wrote to memory of 1820	2464	mscorsvw.exe	48
PID 2464 wrote to memory of 1820	2464	mscorsvw.exe	48
PID 2464 wrote to memory of 1820	2464	mscorsvw.exe	48
PID 2464 wrote to memory of 2648	2464	mscorsvw.exe	49
PID 2464 wrote to memory of 2648	2464	mscorsvw.exe	49
PID 2464 wrote to memory of 2648	2464	mscorsvw.exe	49
PID 2464 wrote to memory of 2648	2464	mscorsvw.exe	49
PID 2464 wrote to memory of 1956	2464	mscorsvw.exe	50
PID 2464 wrote to memory of 1956	2464	mscorsvw.exe	50
PID 2464 wrote to memory of 1956	2464	mscorsvw.exe	50
PID 2464 wrote to memory of 1956	2464	mscorsvw.exe	50
PID 2464 wrote to memory of 2892	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 2892	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 2892	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 2892	2464	mscorsvw.exe	51
PID 2464 wrote to memory of 1056	2464	mscorsvw.exe	52
PID 2464 wrote to memory of 1056	2464	mscorsvw.exe	52
PID 2464 wrote to memory of 1056	2464	mscorsvw.exe	52
PID 2464 wrote to memory of 1056	2464	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe
"C:\Users\Admin\AppData\Local\Temp\e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1e4 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 1d0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 250 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 28c -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 268 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 2ac -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2c4 -NGENProcess 288 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 270 -NGENProcess 2cc -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 270 -NGENProcess 2c8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c8 -NGENProcess 2cc -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2e0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c8 -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ac -NGENProcess 2f4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2f8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f0 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2bc -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c8 -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f8 -NGENProcess 310 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c4 -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 310 -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2bc -NGENProcess 320 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 320 -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2bc -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 330 -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2f8 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 328 -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 334 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 338 -NGENProcess 334 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2bc -NGENProcess 344 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 328 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 31c -NGENProcess 350 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 350 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 330 -NGENProcess 358 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 34c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 360 -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 330 -NGENProcess 364 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 32c -NGENProcess 368 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 368 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 32c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 370 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 374 -NGENProcess 37c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 328 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 380 -NGENProcess 368 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 388 -NGENProcess 37c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 390 -NGENProcess 358 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 390 -NGENProcess 388 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 390 -NGENProcess 394 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 390 -NGENProcess 378 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a4 -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a8 -NGENProcess 3a4 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 3a8 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3a8 -NGENProcess 328 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a8 -NGENProcess 368 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 370 -NGENProcess 328 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 394 -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2824

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1332

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
bd4eaa4ca286ac76398fc7e12e09bd07

SHA1
eb77883e2653cf7933da1d84b04da4a0e3d7e0cd

SHA256
2030f690f9ac6d77fc445cc897fd4c610176f0f9dcb088e05b561f9967574791

SHA512
b957704e0da6d8d7193f669e8600c0ba46aeb8082fcc9db1af14c4c7a61c8feb5f391aa4255642c1597c74b90a832e853ab000cb467664e81f71c2debd0addbb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
d7c2e2e42630116d6d40ac633aca46c9

SHA1
f973fe2eaa6a68ef9e11397826e684e46dd82eac

SHA256
7a2dd318fb75e0ab3e4775134912045a7deed071ca7d01276a033a63a1ed0b5d

SHA512
616e3be2532d46574f5d0b2e7d9fc2d39f3b4e045d07f7c14fde542857bdfc8f94888c7dab13d9f18192a14b5c5b5528bbb1a8d52154ff15d8f63734fe4e6985

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
245923b7b8866deb21ec377bea70d5b9

SHA1
cba6ae6771bfa32eda46d5c2b23af866926cf99a

SHA256
543e00bfe170be4eeaa7a4149e064083fe51b82d6a72f696eb8ed496806b35f6

SHA512
47d74ea99f12df0b7c3276a62127d601eec41bce73741c0f205cb47a0f7ee0b17f5e87584f2dc82dd3748b6019b9ea6068a4aee36adcebf01beb03e52c26a7b8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
413e6ae4a22e171a0bf09ae4d8a771e0

SHA1
1408745cc6ade0921206068908c0e90aed0a1e8a

SHA256
ff8d00b61ae15a4860b92039a5c17de3d0c5b9227dad5280854a15605531d1bb

SHA512
3b5deb9866a0aa1ea1413d7984c1a80f77b49c665f72b2a00b02a376fa498accc3989a556d94455370c378a41be59623e43ccab4cb0d01e1af5751bcf5cafa3f

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
7ad1731aace3f6495fc28241fe552c8b

SHA1
64e50fc06f73b839b38772750df2a90af3795aad

SHA256
707873aad69e8ef5b27eeba8163f696eeac56c0eb56c90fd882811e3b9d36aaf

SHA512
ed9347c3bc55b061dc865ad896925f0e0c0848a3297c853ff5a7c1f5d1febf48b996bb424531b93d90d7725a698f295276aba81cae64d89e94c914028e0a974b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
0427131b3be5c84b67b642ac563b9435

SHA1
6c130631ba80b0c106f9a441ec19fdee4465bdac

SHA256
b57bde2f1fe45afc3647458a47bada43a8d7421042f050e67d53d2850d6180f9

SHA512
e63d8781d1b37a6571c6a175a2cf10ec6a412d4c4be68ff7255dcbd8e4ee376e4898f105af7d4a25e2ce7ffdd6fe6cc6ce4c7f8f2b6a0e6ee241d0d510f228c8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
aae20539e42488d9adc0ce32c71a529a

SHA1
ab60784d55fbdf49e4615410343f3d751830bb60

SHA256
5ce39e8e8d16dc11eed21a8b08aa52b0b046ab398c5ab782ccd856cf6c7cf7f1

SHA512
dc5df7abe3edfb53090f16db91e9bea924923ed59bfebd7cde5df36714383b8a42b20b2fa0a9383f5c777fd628862ac4c8743d3c9725010dd0a2bd2d57e5f25b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a84770f2e5468b7f8ebb1d27b5fd5937

SHA1
29f85c76446bdc4cee2b5e9fbe2228b810770c76

SHA256
95a17fa512ff9c61c79dfd7847c433657a107f9540e7ece89344280625127d76

SHA512
e74d97a74c3dd8ef667300972ddf6cc7c291843c115939425a373e0192791182ad81da2e7f4c9b02e2cfcbf6a1ee3adc38bcd9bd0c4f6437740969bef730ae98

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e9e9d8c5a960160443f74f9cfe43b4a7

SHA1
d3811367794847e2afb6240e572d9915bee0e90f

SHA256
03a7da2155bba22d06f6266c1102c2f768792b14fa363c38ed2d040579d793e5

SHA512
7cbdc4392e3fc6b71da96a6bc46f77c0cc33422b2ee7e928a7167816170e869c96f488c79d47dfe3164cd9f419d549b01f098515326ce65df3a614be852bfd3e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b7465f804ff95c719fc4265ae688e3cf

SHA1
9ed88312faa21588bf5510513670cac1f8c09067

SHA256
7d20ec0abe0f88e5009916b6018b5dab748ccb36b2d748e8369dbb485c60c830

SHA512
c1cb02f7d38979fe6007ed7153d006b195f17308631010d1a91516491bca40a59cb1bc65d6217137bd1696f88ce4f455546d228a603e0ca65aac7b1564203130

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c891d3b7246f5dda0a44585596226a02

SHA1
782f28dbf3c670c705693191caf6ebf0efde4c06

SHA256
f79d0b3b4638a127f416932e7a7ba67931df58327e52660b6b70be9e60e5df1c

SHA512
098ccc18aa7a159a4a00489f321206e3996f839a2c6741fe013f80fb58ce355df2d17fe89ab87f60ac525b655a25132b11f63cdada23d5d63bc650c9abdaefd0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
b7828c235b9d467506030a2660ffe5da

SHA1
f6aaad43cb46deb525a462a9e46dc1b127c8493a

SHA256
5ae77f7c26ee9c74bac12288297ae88785272e5d3a1514df4aefd3c1060c696b

SHA512
da59be089341c052c5285cf652706698ffd354cf8787e4dac860358518ff8ca1888a1ce86d788a7e2c165357e8d5070a36d6ccca2bdc46a623178059a3f6b662

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3fe6594db47cf12cfdb519bf57886b0c

SHA1
aee54b11e9d55495cf4eebf7ff70357e53510af4

SHA256
a922fc6378181d6bbcb200cc645970313271363796e22646544df4d8984cd556

SHA512
f191427b02b8ee82916e0765dde803d9522b19f5d59db9bc104fb41f048929a65bba9c54b3b319189d02f313144031db2f677f65dbbb912f8aefda1f20a700d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
b6bd6f2836d22eae23e3b17f536f4288

SHA1
4ea2ea93fcbca35880c375656d2951382493c97e

SHA256
ccf14b911879e886728ad2ed93397bf515232bbfc9e0b190a07911682783adb8

SHA512
ec258697bc1841f9e0d1456a575a436be6d4536fd1fb32b9ca48347fb9ecf185c4ba5e2548df9508455dcc2b705c7a095c4ff5fb50df0e26df45ceef0da5576a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
729103dc23b60c5429f775fb64caacee

SHA1
d5869b54e3d7939472393bea595b1e0d675d050d

SHA256
32a53be3f47a3f0039d16ff9de8b72ec240fc7f6d4ffeccf8317bc9cb28e6a7f

SHA512
d04a9fce2bfe2f8a680b872291f2a92f187c27457efc5b9cc49259d514b19d42e33857072c4b012e9cb52820ee1b6ee960ddc80cae5adcb89b4f01046e556134

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
339ac9c5386f62f9a7c11e2147765802

SHA1
9c56d7926fe90c44cfe5c8abb1dd4e6c33de9f9f

SHA256
45044be428fc352cfa437688ccc226b4d41bbf37f14a0b204f7e479d29367ca1

SHA512
a767e192830f7303456e7bfd61af4c34e1a96978bd4725029875ff32457bcaed412eb0907336127683aee015bfec1543fb53088808b77d66faf2b3f3fb395f75

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
084169716161ac9d0fcb694eb58e8501

SHA1
288b7dde64ce24ae3924f3e2d4316e677266a137

SHA256
b7fa9f08dbbe1188b64f43b201dce9c33bd8ec8cbfcd19382a4a20408cbb55a6

SHA512
033d0d0be05ecf393e5379a88fc31770a13f88b3ab1d05c0a2da492c80bc7fdeb9dc749bc0260ab61827f4194dd67bf0fafbcd48069ba1367ee9a75da911ce5c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
58547cfcdfff2807707b92fffbdb7a64

SHA1
1a08adce085479288b6c86a55e36abf51879d466

SHA256
2681a850d866955bec40b1d0bf0f2a2361fdfc9c2e7d5b52eeb33b2f9aefc64d

SHA512
5fc76f402740c77919ce35e8d6816dc9d7c6e9679d6e580fdf402be6ebf717a8a7fd2dc05eb3ebf5ef736254b0302e3274d39c270bdbefb1b3cc5c503b197a33

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
4853de1f2c02e94318178372de81818a

SHA1
ce077b36c3a92559191ee6cc5e6382057dabcf5f

SHA256
1e0b4689f11ce01e35fa2bd99ebc9f680bbe6a7765b990e812894897dd353242

SHA512
a5ae7d3a038e42e70286c2778955ab7078846a490969352aff4f5a48231c0ef5ff9515ac3ffe3f672a0fca4244a7c055c17c1158b4c2f5f2a6d4e16632a3f8fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
30666b1b52241716378b91a760d4d6b6

SHA1
454708c7e7319cc1443f60fa281175756c2f0582

SHA256
2d32b0e78cbec8c005697eb590335bde8f71076c56503bee919e3a6e876004a4

SHA512
231b8ba0a4b45c0a8d3d503ab63beb9382dc9a7dbe904c506826d4402ad330a04217eaf28a454619bce00c09d1d6ceaab8afd25f88050e05be82dbdfc5bb0a46

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
28506da7ccc456f1cf3ac8ea5dbf2942

SHA1
37abc715742a9914e76dcc9a4ff3ecb6fa07fa87

SHA256
98f2d471d4dda71cea45522c36846eb167cea31ccd592fb44e26f4eba6ceef66

SHA512
eeac82be7fd4fa6ae4de3e2c32bfb9853fc154fd6b22be775f0807a01f14f7790094aa4032754e3d6f864ffa83ba9be587c8645cb3ddd2bab4e0ff5bfc28b642

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
33c6b5f3f2e344a90a0874b193f1f269

SHA1
4a341e69bbb69b844c74b8230ac1a51a72a5972d

SHA256
e4f4177fe3daed003f1df5ed1fa72bf4b0ad7291201e09ee91b88f3d85704c54

SHA512
8f344d14a3c4ee11a2e211e29ea3c2f9de25a11234d1ed30e92d4a27be20a7f75fdd816bb507ce8175bc5db6dfb4da98c6d6d6595c870ac47e2362be2b82f86d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
3f3703d5e26c3e3417a23a4f37cf6f9c

SHA1
119a07f66d7a52744187fad8c9b2d8846591b169

SHA256
d544d8eebdabe77118353aba90789c8a2f8f75a45461ee2f7dda42a43510e5d9

SHA512
b4f40305bc500b775f9cf21a5d55d1249dfb9441a7c58a4e5793d3d40516d96b96ff00d3bd1b7d98e44ce7235df311cc30183cc3931ff3743fcbdc2ea039a4c4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
fe60535ee6b9689e7a7a8bb02e74040a

SHA1
05b2c0b4fe5ef1bfcd630d08d8b166e414e967eb

SHA256
b872f6e2d0f6b9288f957be8565fdf731468eff28bf6c12a11d40f46f3674d03

SHA512
922d6f4f4293509663eedc8dc5348d74a4d79a6a5304e4104d7e1347a0ff511c84b5f048cc3fddc042dff31d5edfc9acb373c87b7dda9aa9448f931f602c7a3b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
9d6c5baa5ad6fa38bccf8bbb532e6df7

SHA1
73841ca72e7495f6a66ef23d40cbe77241e781b4

SHA256
54f792b29b32be7832304c77e0c9e1b710cc94884cfc3bf53dede3dc54f7a5d5

SHA512
72f3a470b7c6cc29538afd58fabfcb0595038af66fe7cfe446dc703e14906ea7c10801142a9bdd76cda86717c05b7dec26d1fccad6f101227d366fc2e87a1838

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
12907faa4e1e17e44c234fed05e7046f

SHA1
8b4c0cf2d2117fba7d1dec3502bab1d52555e30a

SHA256
92041d8a21929f5d5f6f63b04bef7741bee34096933d040c03e8080a655ddcbc

SHA512
d370d03becdbba099a7d033a13f48abcdf875c016b756dbc966746e8cf0b7b1e8301838a993301152e9ed73c0fd1a55c165eacd9d4bc93afe57eae691fb35cd9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
6b5c1dc2e45c99fdeb9ce79ae85df935

SHA1
fc540c4d2cf7001ef16cac71703e11724a6b2c24

SHA256
759912b628faea923056294e907270f6b558714029d5ae5b62e2791c9d32c47b

SHA512
881a79e4ebe124eca35e7096a28681fedf5cf4649c4cbbe8950b5fdb4c005c152aeb66b1f0fc149ca85d37be2f5955bc80851e8c4117848254a6d7d11de5be85

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
577KB

MD5
d2af407edc901f525d645e3c1d692dd4

SHA1
e998c22f20a140f40e9cebc5ec17ce69c8c38104

SHA256
70a20d7fa16660c2b4ed0e4b091377cc1b308e93e62aaf63af0507e29f90b5e4

SHA512
8f0888c0a0e83ad497392b70ebca5760101fe3ff75b16c9374da85f7528c0f0234f0451bd9129c8b2eb3eaec7b7e3f6fd8fd6f097abf44f45e000b49a1a9b46b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
577KB

MD5
9b54d8ab447bc99a07614b52c95660d7

SHA1
61f8a6bf1a9928a516de4463775f7c34ba2cd37c

SHA256
b5542e2b70a70bc9c81bd17ddd8793531cf94ebd1e2ca897d1fb78f467934786

SHA512
2a2c854ecac1e9b2e7e3bf1b6fcd471c34c131247fb8594220e78ee5c04e034ab17cfc29dacc4bd769e08d0eac773be8c5322412c05a537218b371faaa223c74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
b8f69b60184e4da4ebb365612af1cfd1

SHA1
5cb7b44ef90c6a7ff98251e8b8b65afedae6c590

SHA256
f3d54fd58d39846da9d6641891334da482c82caade6567cb27c81395e89e1a46

SHA512
6d32c5656c07d082030b105999a1796480880e37f27daaf2703d978f140ede7e41355147234387c928aaffcd1bf0251065cf9b5f7277b619b3447cb51b1f6792

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
76dfb1c1789adde45bdde926087cda04

SHA1
9fcae3643cfc103183c11a6718ba892c7487d7e3

SHA256
2b6d033788727a006b6fa0f4ccb78284f98b68891b42399e2d5987684156e4aa

SHA512
a069f28b6ac5aab923087b2ec356dbd90d90bccc0fa80cf6eb3ff663efa6091590361b697b408de58a6995940e0a6473cb808efc2d5f5fa153b6a58502e94709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7d05f9597df21401020c6d94db0ed4ed

SHA1
1d21fcfb0098d4a971a6c08270dbbe5ca57aa4c5

SHA256
20da97ea736d7dbac0258ef88df2ea92a80d68bb1fa15736be2e60caf7bf15bd

SHA512
911b5f8f2fde7d41253eb460478c87d14db0bce6684fe936eef09b910c2d3abd35a9c77a185a991d6baca93942ad4a25de9e573c8f58510a626286b51e1bee04

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\40bbc6963eeb62795c5e45c7bec3e871\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
8035268c2a06e2f57de1170b4ba7937f

SHA1
faf845cf886ba344f86a0cf70b612d1127395828

SHA256
ffff2e2f4e170d5272e5c776d0230b347046a62b5bb35c5362406c00c92d654c

SHA512
1a21bb292d53751a99661e4797b9122105acbf2740fdbb5d0f2d0ec79f5c63246052596995adff05783b576264034fb960d1b453bc03e9dcca78737d01b358ef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\952d88d0ad2613018ab94ed906ed6379\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
d2859e7b56a646277e5dd74f49dc66c7

SHA1
ee134b21563f194c2310c63633724262cbd64209

SHA256
6a46c71842039eabe9c1e20d205cc639d8a19cf7f0a4d249005bba28436e26d5

SHA512
fbb2649b2339d81033f31a03de94edaa857cdfb60619bc7372be91cac48fe1277b5ddd655c358596814eb32e62163b8d5c96dc57df5e5c1494709579063ee3ff

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ad333002d5af315ce99c6efc16f2735e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
0e3474b8f9279d9130cd6287dc0984c8

SHA1
2620d07efe1f34f80596909c49adc719b95362ec

SHA256
af5a512b0e73185aab39cd47fe18f1bb87eb2836e9d125ffabfce14efd8ecb54

SHA512
6ef133b7c668588ab5f476b7804abe078d0d32b284c9e220f67fe7f213fcfa5e462dd93ffac55968c80c9e99326528dcc503a54cfd1dc41dc092461710ad82f3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
7c65423f3a9a07350123b64c84036789

SHA1
bd12d8488949e3afda7b61937ed78212dbb9dfda

SHA256
f744a037737da11873206dc6d9f8b612dbcaa04dbc60ad222c603dcc26c46658

SHA512
be37a14208c41ade077581e4f1a810e8ac5191744cf441afda0f123823e77a2d4f7e9d5dc53544a111949cbc9a0ac8c767bdd7c261186a71dcd11d57b1b2f52c

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
e8e01dfc77c1dab1512af0ed5411ac9b

SHA1
85edd12b5a467a2e3d0c8b24dcef0529f3524135

SHA256
987da85cb05a55ca806aa18a2a85fb323906ef3cab7f17e4fdab1eef60001d49

SHA512
b9fe1ecb0bd3b7d7cf9d751b05e3c1f7ff212a710ba887a388d24c40912094ec0d113c116a141d0a1c2b504eebcf716e3ab21186567fccfd07dfbebbcb6edd55

Download Submit
memory/596-329-0x0000000074688000-0x000000007469D000-memory.dmp

Filesize
84KB

Download
memory/596-318-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/596-120-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/596-125-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/596-132-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/596-137-0x0000000074688000-0x000000007469D000-memory.dmp

Filesize
84KB

Download
memory/1168-410-0x0000000000590000-0x00000000005F6000-memory.dmp

Filesize
408KB

Download
memory/1168-414-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1304-6-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/1304-1-0x0000000000310000-0x0000000000376000-memory.dmp

Filesize
408KB

Download
memory/1304-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1332-106-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1332-113-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1332-105-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1332-304-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1628-392-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1628-403-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1628-356-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1628-358-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1628-397-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/1684-88-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1684-102-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1684-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1684-96-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1684-95-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1684-99-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1780-310-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1780-290-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1780-297-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/1780-299-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1780-309-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1836-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1836-12-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1836-19-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1836-32-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2004-370-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-409-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2004-368-0x0000000000590000-0x00000000005F6000-memory.dmp

Filesize
408KB

Download
memory/2152-394-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2152-413-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2152-412-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2152-398-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-382-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-395-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2244-380-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2244-396-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-35-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-41-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2464-36-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2464-104-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-340-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-330-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-339-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-326-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/2664-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2664-30-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2664-29-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2724-50-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2724-118-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2724-49-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2724-57-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2724-56-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2788-313-0x0000000000B10000-0x0000000000B76000-memory.dmp

Filesize
408KB

Download
memory/2788-321-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-306-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2788-327-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2824-65-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2824-66-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2824-73-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2824-128-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2864-77-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2864-80-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2864-84-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2864-284-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2896-343-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2896-348-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-350-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2896-353-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download