afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
Size

1.8MB
MD5

5e62e8b6a7c89111ec71301729aeaa68
SHA1

1d35e71e643756157b77e2dcf6c5a8ad44f233a4
SHA256

afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7
SHA512

875d5bdbd4e83ab423bb783f67cb8946faf903540f25f189fdb53c35fd16e0bac3d2e63d58d19b2e12b590e845b1f9234e03b6eab4cda161fc97a3dbe21fbf48
SSDEEP

49152:ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAogDUYmvFur31yAipQCtXxc0H:uvbjVkjjCAzJeU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2632	alg.exe
2880	aspnet_state.exe
1944	mscorsvw.exe
2492	mscorsvw.exe
1572	mscorsvw.exe
1924	mscorsvw.exe
704	dllhost.exe
1720	ehRecvr.exe
2772	elevation_service.exe
2532	GROOVE.EXE
2776	maintenanceservice.exe
2468	OSE.EXE
2236	OSPPSVC.EXE
2208	mscorsvw.exe
2128	mscorsvw.exe
1372	mscorsvw.exe
1768	mscorsvw.exe
2496	mscorsvw.exe
2444	mscorsvw.exe
464	mscorsvw.exe
1452	mscorsvw.exe
1012	mscorsvw.exe
1000	mscorsvw.exe
1612	mscorsvw.exe
2748	mscorsvw.exe
2588	mscorsvw.exe
2456	mscorsvw.exe
2376	mscorsvw.exe
980	mscorsvw.exe
2444	mscorsvw.exe
3024	mscorsvw.exe
624	mscorsvw.exe
1012	mscorsvw.exe
2828	mscorsvw.exe
2372	mscorsvw.exe
2440	mscorsvw.exe
1836	mscorsvw.exe
1888	mscorsvw.exe
1424	IEEtwCollector.exe
2168	msdtc.exe
2480	msiexec.exe
2464	perfhost.exe
2436	locator.exe
2692	snmptrap.exe
1212	vds.exe
1204	vssvc.exe
2776	wbengine.exe
1340	WmiApSrv.exe
2552	wmpnetwk.exe
972	SearchIndexer.exe
1768	mscorsvw.exe
2732	mscorsvw.exe
1216	mscorsvw.exe
1312	mscorsvw.exe
2324	mscorsvw.exe
2752	mscorsvw.exe
1468	mscorsvw.exe
2528	mscorsvw.exe
2452	mscorsvw.exe
108	mscorsvw.exe
920	mscorsvw.exe
1804	mscorsvw.exe
1796	mscorsvw.exe

Loads dropped DLL 42 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2480	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
760	Process not Found
2324	mscorsvw.exe
2324	mscorsvw.exe
1468	mscorsvw.exe
1468	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
1796	mscorsvw.exe
1796	mscorsvw.exe
1260	mscorsvw.exe
1260	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
1108	mscorsvw.exe
1108	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
2300	mscorsvw.exe
2300	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
1064	mscorsvw.exe
1064	mscorsvw.exe
1440	mscorsvw.exe
1440	mscorsvw.exe
2644	mscorsvw.exe
2644	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\69487a0cae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\GoogleUpdate.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_sr.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\GoogleUpdateSetup.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_am.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_pl.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_hr.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_ko.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_hi.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_vi.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_th.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\GoogleUpdateComRegisterShell64.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_id.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_lv.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_ja.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_zh-CN.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_hu.dll	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{697C1ED1-DF67-4756-8508-308CFC4F66AC}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8843.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD25C.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B98.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7407.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5561.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB15.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8CB5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070ae1f60e68fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b046fd5ee68fda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010ae935be68fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070acea5ae68fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2880	aspnet_state.exe
2880	aspnet_state.exe
2880	aspnet_state.exe
2880	aspnet_state.exe
2880	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2504	afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeDebugPrivilege	2632	alg.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2880	aspnet_state.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeBackupPrivilege	1204	vssvc.exe
Token: SeRestorePrivilege	1204	vssvc.exe
Token: SeAuditPrivilege	1204	vssvc.exe
Token: SeBackupPrivilege	2776	wbengine.exe
Token: SeRestorePrivilege	2776	wbengine.exe
Token: SeSecurityPrivilege	2776	wbengine.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeDebugPrivilege	2880	aspnet_state.exe
Token: SeManageVolumePrivilege	972	SearchIndexer.exe
Token: 33	972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	972	SearchIndexer.exe
Token: 33	2552	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2552	wmpnetwk.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1924	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2740	SearchProtocolHost.exe
2740	SearchProtocolHost.exe
2740	SearchProtocolHost.exe
2740	SearchProtocolHost.exe
2740	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe
2348	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2208	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 2208	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 2208	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 2208	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 2128	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2128	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2128	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2128	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 1372	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 1372	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 1372	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 1372	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 1768	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 1768	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 1768	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 1768	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2496	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 2496	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 2496	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 2496	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 2444	1572	mscorsvw.exe	59
PID 1572 wrote to memory of 2444	1572	mscorsvw.exe	59
PID 1572 wrote to memory of 2444	1572	mscorsvw.exe	59
PID 1572 wrote to memory of 2444	1572	mscorsvw.exe	59
PID 1572 wrote to memory of 464	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 464	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 464	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 464	1572	mscorsvw.exe	49
PID 1572 wrote to memory of 1452	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1452	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1452	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1452	1572	mscorsvw.exe	50
PID 1572 wrote to memory of 1012	1572	mscorsvw.exe	62
PID 1572 wrote to memory of 1012	1572	mscorsvw.exe	62
PID 1572 wrote to memory of 1012	1572	mscorsvw.exe	62
PID 1572 wrote to memory of 1012	1572	mscorsvw.exe	62
PID 1572 wrote to memory of 1000	1572	mscorsvw.exe	52
PID 1572 wrote to memory of 1000	1572	mscorsvw.exe	52
PID 1572 wrote to memory of 1000	1572	mscorsvw.exe	52
PID 1572 wrote to memory of 1000	1572	mscorsvw.exe	52
PID 1572 wrote to memory of 1612	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 1612	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 1612	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 1612	1572	mscorsvw.exe	53
PID 1572 wrote to memory of 2748	1572	mscorsvw.exe	54
PID 1572 wrote to memory of 2748	1572	mscorsvw.exe	54
PID 1572 wrote to memory of 2748	1572	mscorsvw.exe	54
PID 1572 wrote to memory of 2748	1572	mscorsvw.exe	54
PID 1572 wrote to memory of 2588	1572	mscorsvw.exe	55
PID 1572 wrote to memory of 2588	1572	mscorsvw.exe	55
PID 1572 wrote to memory of 2588	1572	mscorsvw.exe	55
PID 1572 wrote to memory of 2588	1572	mscorsvw.exe	55
PID 1572 wrote to memory of 2456	1572	mscorsvw.exe	56
PID 1572 wrote to memory of 2456	1572	mscorsvw.exe	56
PID 1572 wrote to memory of 2456	1572	mscorsvw.exe	56
PID 1572 wrote to memory of 2456	1572	mscorsvw.exe	56
PID 1572 wrote to memory of 2376	1572	mscorsvw.exe	57
PID 1572 wrote to memory of 2376	1572	mscorsvw.exe	57
PID 1572 wrote to memory of 2376	1572	mscorsvw.exe	57
PID 1572 wrote to memory of 2376	1572	mscorsvw.exe	57
PID 1572 wrote to memory of 980	1572	mscorsvw.exe	58
PID 1572 wrote to memory of 980	1572	mscorsvw.exe	58
PID 1572 wrote to memory of 980	1572	mscorsvw.exe	58
PID 1572 wrote to memory of 980	1572	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe
"C:\Users\Admin\AppData\Local\Temp\afb333e234f9d2efb2f9ee2dd468bde21fe060de4f1654c2f380e3dee6139cb7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 24c -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f8 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 264 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 288 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 1e0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 290 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b4 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b8 -NGENProcess 2b4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 234 -NGENProcess 2ac -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 268 -NGENProcess 2a0 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 238 -NGENProcess 274 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 254 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a0 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 22c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1cc -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1f0 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 268 -NGENProcess 254 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 254 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1cc -NGENProcess 2b0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2c4 -NGENProcess 2bc -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f0 -NGENProcess 254 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 274 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1cc -NGENProcess 254 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1f0 -NGENProcess 2b4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a8 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b8 -NGENProcess 27c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 27c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 27c -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 280 -NGENProcess 2b4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2e0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 280 -NGENProcess 268 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 27c -NGENProcess 268 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 27c -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2c4 -NGENProcess 2dc -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e0 -NGENProcess 2f4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 280 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2fc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:704

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2776

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2468

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2236

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2740
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
827a8f107a56da1f3d4b11022dd3441a

SHA1
60a60bf816ca3289e090605efea37c54241db167

SHA256
55345e13b6ef6a5271d5a23e12eecf9e33438935fa9959b9837c1cfa7945fa00

SHA512
c0f9c941b38aa5fec4611b3741ac3c119ab84256dfa14dffbd2ad2f3a40ec1e4e8da62565916a6b77cd4307fbab6ddfa156f28c707b9dbc96580ea0737f2e08d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
7.0MB

MD5
f7d810d0b49b11c4e94415967aeb6832

SHA1
1f6c2fff1d6d3dc5f2ef24654b747fa9045068c4

SHA256
692c06a352f625f74cec3ed7bb122296f3937afbfd6f315ccc740363b3e3f874

SHA512
5a8bcaa1351211fdaa83074556720c37d08c9e461eb1dcb1af85786cc0e8669966f0eef7670db8d6c4b7bff9d1d6a3ff5139f470046cf5b96923d52cffd7c245

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8a8d8308f22fa4a2cdce11928584c333

SHA1
51f3b95a7c844b5f263bfe021524025f4a27066c

SHA256
fb9e3bf47689fc1ffbc7d7e9a2ed7365be9812d7d42c0abc3649a9ddd33b012d

SHA512
fc2279a8d25eaa1bb6c7b9d1bd9cc5a6398a04671fe1951c1b9c39f5b7f5f47e8046d76203b279362a3b21423ae85a701b94c38306334ac07a1c6b79f01ac9eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
80576a8d1a8e62d21d450ea1caea746e

SHA1
89b18dc4cf892a07da8c98a86a0bae046910718b

SHA256
256ff97d1c1f77a3087d71f72e75c8f9de035c929c51c1232a6fd73cca484ae6

SHA512
2a75554b5060588f2b6123ce3ff3c310adb37ab300c935ae8a3461f88a4d26ff488600410263ad109fc640072e077b625f3eb48420ae1f3ddd9f1432aae2348f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a780b72d0df0b5e20aab95520ffe4287

SHA1
592ebddce1859e3a8776efc9a8e90cfc337cf293

SHA256
41cfda049942b1b81abf3e242a4b892414be87d65b3cde45dde59f0378525deb

SHA512
47662c8a81c4f1166da26b94be52a19d0bafe062d42f5c58e50a90dfd4cb660aed818147ab04a6a413823d907ddfacbd079ceac34ca804acc6f55cdbc45fa90b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
6fe90f46449e0cee01dce42143ff2bef

SHA1
a7310064a87603b5a290dac1476bfe8d0d5433b4

SHA256
5aff054fd4625ccadfaeed98c4ef4e1a409794c352e766a37646acf96f8bcaf0

SHA512
1ea294fe9b9b3579eaa71d0a79861771557d67165928ac51d0df02bb0084876eb86c1b618f730d7668e903918acebe8ac073b3a587a144be89bcf623773cbcd6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b21421a3087b77bf9fed39c5c6065d00

SHA1
fabb9a7d187e3097122b46a933a3dd57cb07b5a2

SHA256
cd87c8f9e9c6251f0e1a44581ffe3acbac71fb6e01880431fdaa6ee67b0082fb

SHA512
08508334b59240d45a0d332108ac8294b4e78c8bd3f4be6793055c6525b6f41f0987b572199c78bdf3bcdc49795502273de18897207c820722d88a77143844bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
105c0a466d1c7d8cb7cfc749eed27e0b

SHA1
0a752ce21cbb35b82022a31a7f16a064c907415d

SHA256
ea87ebd394154bd884330074e027dcc02ab57c1b635169a1c73652483a1213cc

SHA512
2ec9c47984e870f4f9bb26b53e96f72ce5e528f73bd949b1554f9664d52d3d768962e6271a1c160a93a599a79b09dd965d92c7bd341b0a72ab7b65c767e0e21d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
2685fdc9ce1a9f21422ca26e5c71c13c

SHA1
fe683570aaaafa7b1a9943c584cf48dc0439bc33

SHA256
b2db749d13f00b6ff58b82f62e3985345819796fc946fcc08e90bc5072cf8837

SHA512
242b723be345baf82da6fa3bb9a5c1c3c78b0c1c99f2e4f9742fc65c1492188e889cea32bd48fc3f51c3c687b6ff36499776fa0ab7f92f42ab370b224c3bb463

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0ffbfe8c27cceec8cee2f3674c5c997c

SHA1
50b009a32365d092ae4b06e5e90de1ee902072ac

SHA256
55590aa190311a1b626daa12adb810b718ad5d71f55d5c6b1dd8f4c0c5c41132

SHA512
f5602dec2c2355575ac9236e2d0fc028dc1f993d377ad8630896bd231044e5ed918e75157c5eb9c006d23d0e3a744b912f9556c931051eb73cbcddbeb8a2ff0c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
69d9fc363555398a15f2cac80686d70e

SHA1
b6511cd47584a5b69a09e9dbf2a450434a8d2761

SHA256
75a63c3c6c1e709193d582686703efb3da0edddcca0b5f9e84fe64ce7217e721

SHA512
7718efa5d1e39acc88cce0a4aa20eaca76222d2e1a1edef2bc630da4ae7bc295bb0c63a5f1d67cc91dacdd0889df9b1e10c41c11247f4afbf0b63347620d601a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
d7c8a330bb851116dcdb579bf139ebbc

SHA1
244c4957094b3a960e8237fea0576bc703434ff4

SHA256
3f01b0a4bcf1526c738f4541f15751e08a3fcb917f62701e7b95ccf3731f0023

SHA512
27e4ed20be40449f1aa3d916bce25a82d664708abfd0dab7d1487aeecce769839f71fc02a9e772de734b08fbad68e0429c379699a71add4c37b813c82329ebcd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
dfc354389fce4c3425a4394a94bce12f

SHA1
ce1f14de410bf5163167d173b04c412442a757da

SHA256
b47cf6613733b12bc45ef40475868512631383f66b8474c44655cb66034578bd

SHA512
19b1357eaf5ec57fb3d09f92ccfa5aa3391f837835322d8c15234eda735cc63a83697c85a44eb23af92e3b5f4ef4593a330dd6f8251a454c07c24bf3ba3d4741

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
0c28b318f1ca33379762ae12558b5de9

SHA1
ed7f123a170614d2729d1ad9296db07936b46824

SHA256
46441e49fb6a0dc0427ad0814e8e6d22dc179106a6525d376534bdd0f0dc5fc0

SHA512
27421df34c1d1fc629edd5d56dda32ae669a3a7daa935c56be4e4e4f86c69fe58aad0dc32e663bf181af46dbae646dddd09f24160b3982df0ff202af9f2a66be

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
bf70e2e2a19937d2c2a000e03b4fa5ac

SHA1
440620bb72329675943a5c903d3277103e34dce7

SHA256
2e71e0870f724a8579de8b1c3c9e2a4fa463571ef06ccea8d2eba26779670234

SHA512
56bd7b042b26e429d11f2c8ef2a4d6482feaf1a893e1c70398af793b81bb5586975f02fa7bccf09e6251804769704177be1dd74420e0a613825a9e766874b844

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
9ed74c876a78d77215cd50189a2b1b6d

SHA1
9dd20a65864c88f0f3be88e0b508103294ceacf7

SHA256
fd161c61f80605e6d46bba04fc1872604ed88e4824c435db798647b1725e187e

SHA512
59c27ecc94a9749f1b04af3921e5672bf8282f8d25fabacae51bf0997fbedf966b3c9007df532aed2d928f21407306913eb23dc49bf77fecfe690b2e277d0b81

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
e93c132ab02b34a1be96d3be87f64d87

SHA1
3a78883067b248240d6634a9332b25493d8bc273

SHA256
c292f1281b1b91f0265ad52c8c341278d655a5cbe2d20efd18c5aa73e1ee8138

SHA512
0dd9719c0dd0e5b5dc54cc38c1ef5946b4355c20fcac5d8e387d35cedf6b7ca2cc5a4041fe50111880da98b947cb7a471646789fec98f4fe334089e61f656237

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7e287724e46e3a5ba51c9e849541a02f

SHA1
499c89d80dc90671b794960d7f147a43575296ef

SHA256
6a6d4c20e3df38844c63f962c6a257e0f4d3f3c8e2043dcf72507e405bd645e4

SHA512
55cf58ee02dcd6dda29dfa31bde13504858f4f534a92cfb6e39e3602593946ebb4fd19b7c753b2f3527c6ada07db7d3600f6eb032beb02adc23c4490bb5fbee0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
36a6fee4d39cad0948f57038a7c21d34

SHA1
1fe322593e953924083e711a0f7ec814fdf7760b

SHA256
1f8541a189be0fa60c9df4263fbad9fb318b1cfbb898a3852af0ae04deb8471b

SHA512
696d8a3bdacf84947471d00e3a94eaa040e2f7ef261242a038f45b319983d5ca745eea7fe1e26a2e4fbf3613199e19157c80e65ed1ec6bd05b5dc9262d6b4410

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9567d875f2c264da853577c693b7a251\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
8b30dc1253c3b2d34d256a82d32a679e

SHA1
266bba23803d18a6cb744880a44b2e997ce1dd1b

SHA256
8779332eafdc04ef8ee0c5e73bb86e9fe0ca6cdd5081465dcebcdb320fcb6bca

SHA512
8c1371de6b59760356725a631334892cc0798f2b6460bd4f102ea352720539cf3b4d2e8ba1d883fd406b9b014ea3b50a0c06265773a8ce6f09142f09ce16ce54

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
593f3d6622e696e62a7f3be2bbd260b8

SHA1
945ec8b9dfaa2491784f0e7dd7cea5e98db68ebd

SHA256
d76abdb820646a795996f736f0a6b95a4f92b4ca9fca0357812992a59ea446a8

SHA512
431b73937cc1424715343debb815b96a7266dedf6454fec41cc20c05bb11588d9e17294742632b8a436e84f32822b101f83f0bd0fe9f5f38a96489bd0ea9ed2c

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
6bd490b5b6df9b307ba4acfe297e59c6

SHA1
d732ff73401f786ce1cae7fa5763e6093db039ce

SHA256
0f321583f9dcc556a7bd93589e67a9b7a68d08844b529eee92374c0ec4dfce88

SHA512
85656a46dbdf1ea9600dec138e97a0848bbb5c60354231c36d5d2e6597c264a37d0f9c7adb80e788fa590f2cd596f04c3b75b4bd41bd9c9721137a6972cb9b35

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4390da819deccde17e298959084ff8db

SHA1
b3a00db63122ab78cdf81f041d355ff64d2dec70

SHA256
fac6bece013c9d68eff3f5258847e8e20a7baea917b22fa9ae256ff91d6c1dba

SHA512
1296ba9b6d71239d75920a4c5d33b2240429b5e5a244a7fe453f93f0ea12e00a58537de9d873b24ec5ca21cf25c2d57bab083f9e64297555fece3e7adc913798

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
41e9b2812a20ee314794086723fd669e

SHA1
3d2ae41806e70c7c2a75bd56a21dc76057ce9544

SHA256
c9b2fa46b8d3877321e09ec7c3dad77e3b3d51fe6ae78efd81c17fd876ea6509

SHA512
ec6f3ad5d9cbc33ecaa3c4fc9e715794cccdc509b5dba780215587e0a616c81da1ad227b96a2f9c9bd31736c95609ca329f644b1b922817b1ac6d4919caf45fd

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
4f6667a677c8defbbd8fd4cdee980613

SHA1
c67cf06d7ff1ada38a48f2c142fa8fd04ef0ec47

SHA256
348f50038e89e01fec3d8d41784fa080dd8d40ec84e31658611985cca9fd5f0e

SHA512
410ef9b97e586dfac2bc200c996fbdba9fd9be8969c544de18846361f1edb4c36f1aa9dcefbe8ccece3724dd058b52de148f80482b9fcb44237bbb7dc2f66d9f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
96dae594edcf2c0867386397e1fc9797

SHA1
c0c1aff722e89af9b4009dc110a3c5d197c94884

SHA256
ca9b9124c24a2e8a2480375dba871e5c70d95193653d1de38c527f829a848c7f

SHA512
2d9101f7da4a2e130d54a1dfa5eb28fab13db5436fa06876d09f9c2a1ee7094ba395a68c40d2de69637bb13e09945df8e4225a1d16db81488c0642e2038cf22c

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
76464fc35ff2cd5c0b3fb744cd998227

SHA1
5d22f8960f699ca23109c73a4c1155c451571d11

SHA256
08aba6f272d49bc2b286a8483564aef10bd58170f30d704ad5a84fb56d71f9a2

SHA512
0dcea5d2a9fc32801a2bff06928b0508c497049a74a8f31327e7ed940783592be9f4c9cc46c0da663f175d5958204cb7832b301ee8fc7cfdbaba381dc725eede

Download Submit
memory/704-322-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/704-191-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/704-182-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/704-186-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1372-521-0x0000000072510000-0x0000000072BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-464-0x0000000000BA0000-0x0000000000C07000-memory.dmp

Filesize
412KB

Download
memory/1372-474-0x0000000072510000-0x0000000072BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-510-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1572-145-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1572-296-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1572-144-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1572-151-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1720-205-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1720-297-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1720-335-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-197-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-366-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1768-527-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1924-161-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1924-307-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1924-166-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1924-170-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1944-141-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1944-108-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/1944-114-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/1944-107-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2128-467-0x0000000072510000-0x0000000072BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-462-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2128-446-0x0000000072510000-0x0000000072BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-438-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2208-363-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2208-376-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2208-444-0x0000000072510000-0x0000000072BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2208-391-0x0000000072510000-0x0000000072BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2208-435-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2236-356-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2236-377-0x0000000073AA8000-0x0000000073ABD000-memory.dmp

Filesize
84KB

Download
memory/2236-361-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2236-526-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2236-470-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2236-346-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2236-528-0x0000000073AA8000-0x0000000073ABD000-memory.dmp

Filesize
84KB

Download
memory/2468-453-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2468-337-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2468-330-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2492-132-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2492-124-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2492-179-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2492-125-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/2504-281-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2504-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2504-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2504-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2504-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2532-375-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2532-304-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2532-309-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2632-163-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2632-81-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2632-72-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2632-71-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2772-294-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2772-285-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2772-353-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2776-324-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2776-340-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2776-341-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/2776-318-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2880-96-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2880-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2880-103-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2880-183-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download