ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 04:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
Size

1.8MB
MD5

0a13ab30eeef6adced06fdb5921da99d
SHA1

17bb9395e5309a2d6b66ffcc579367e19167a7a9
SHA256

ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121
SHA512

7b8d1889fb9725cf96e2f460a78554b657e61bf804df5abf27e7fdac1ec01eef7218eb6aa59b06d191b8f9f785064951dfa6ff1e39cb9f6edaa7633bead281a8
SSDEEP

49152:Qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAXgFIDRRAubt5M:QvbjVkjjCAzJpUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2984	alg.exe
2924	aspnet_state.exe
2788	mscorsvw.exe
1428	mscorsvw.exe
340	mscorsvw.exe
1496	mscorsvw.exe
2320	ehRecvr.exe
1352	ehsched.exe
2144	elevation_service.exe
2964	dllhost.exe
2484	GROOVE.EXE
2384	mscorsvw.exe
2916	maintenanceservice.exe
1624	mscorsvw.exe
2168	mscorsvw.exe
2968	OSE.EXE
1800	OSPPSVC.EXE
2260	mscorsvw.exe
1580	mscorsvw.exe
1032	mscorsvw.exe
1872	mscorsvw.exe
576	mscorsvw.exe
1960	mscorsvw.exe
2540	mscorsvw.exe
972	mscorsvw.exe
1084	mscorsvw.exe
1780	mscorsvw.exe
2152	mscorsvw.exe
2008	mscorsvw.exe
2464	mscorsvw.exe
1032	mscorsvw.exe
2692	mscorsvw.exe
1480	mscorsvw.exe
2700	mscorsvw.exe
3004	mscorsvw.exe
1788	mscorsvw.exe
904	mscorsvw.exe
1580	mscorsvw.exe
2160	mscorsvw.exe
576	mscorsvw.exe
2720	mscorsvw.exe
2828	mscorsvw.exe
1652	mscorsvw.exe
2716	mscorsvw.exe
1592	mscorsvw.exe
2024	mscorsvw.exe
1264	mscorsvw.exe
2244	mscorsvw.exe
1304	mscorsvw.exe
1620	mscorsvw.exe
2852	mscorsvw.exe
2296	mscorsvw.exe
1628	mscorsvw.exe
1960	mscorsvw.exe
1776	mscorsvw.exe
1028	mscorsvw.exe
2308	mscorsvw.exe
2888	mscorsvw.exe
2248	mscorsvw.exe
2548	mscorsvw.exe
2176	mscorsvw.exe
2624	mscorsvw.exe
2148	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1592	mscorsvw.exe
1592	mscorsvw.exe
1264	mscorsvw.exe
1264	mscorsvw.exe
1304	mscorsvw.exe
1304	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
1628	mscorsvw.exe
1628	mscorsvw.exe
1776	mscorsvw.exe
1776	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
2248	mscorsvw.exe
2248	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
2940	mscorsvw.exe
2940	mscorsvw.exe
924	mscorsvw.exe
924	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
708	mscorsvw.exe
708	mscorsvw.exe
2428	mscorsvw.exe
2428	mscorsvw.exe
2888	mscorsvw.exe
2888	mscorsvw.exe
1348	mscorsvw.exe
1348	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
3016	mscorsvw.exe
3016	mscorsvw.exe
1592	mscorsvw.exe
1592	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ba9ddea73d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\psmachine_64.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\psuser.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\goopdateres_fil.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\goopdateres_es.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\goopdateres_fi.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\goopdateres_fr.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMC40.tmp\goopdateres_sr.dll	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9A1D.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP930C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA489.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9766C60E-5E28-4A89-8418-9DBDA9FE58B9}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD375.tmp\ehiActivScp.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8FC1.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB50D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1300	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2008	ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: 33	2428	EhTray.exe
Token: SeIncBasePriorityPrivilege	2428	EhTray.exe
Token: SeDebugPrivilege	1300	ehRec.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: 33	2428	EhTray.exe
Token: SeIncBasePriorityPrivilege	2428	EhTray.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeDebugPrivilege	2984	alg.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeDebugPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe
Token: SeShutdownPrivilege	340	mscorsvw.exe
Token: SeShutdownPrivilege	1496	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2428	EhTray.exe
2428	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2428	EhTray.exe
2428	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2384	1496	mscorsvw.exe	41
PID 1496 wrote to memory of 2384	1496	mscorsvw.exe	41
PID 1496 wrote to memory of 2384	1496	mscorsvw.exe	41
PID 1496 wrote to memory of 1624	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 1624	1496	mscorsvw.exe	43
PID 1496 wrote to memory of 1624	1496	mscorsvw.exe	43
PID 340 wrote to memory of 2168	340	mscorsvw.exe	44
PID 340 wrote to memory of 2168	340	mscorsvw.exe	44
PID 340 wrote to memory of 2168	340	mscorsvw.exe	44
PID 340 wrote to memory of 2168	340	mscorsvw.exe	44
PID 340 wrote to memory of 2260	340	mscorsvw.exe	47
PID 340 wrote to memory of 2260	340	mscorsvw.exe	47
PID 340 wrote to memory of 2260	340	mscorsvw.exe	47
PID 340 wrote to memory of 2260	340	mscorsvw.exe	47
PID 340 wrote to memory of 1580	340	mscorsvw.exe	48
PID 340 wrote to memory of 1580	340	mscorsvw.exe	48
PID 340 wrote to memory of 1580	340	mscorsvw.exe	48
PID 340 wrote to memory of 1580	340	mscorsvw.exe	48
PID 340 wrote to memory of 1032	340	mscorsvw.exe	60
PID 340 wrote to memory of 1032	340	mscorsvw.exe	60
PID 340 wrote to memory of 1032	340	mscorsvw.exe	60
PID 340 wrote to memory of 1032	340	mscorsvw.exe	60
PID 340 wrote to memory of 1872	340	mscorsvw.exe	50
PID 340 wrote to memory of 1872	340	mscorsvw.exe	50
PID 340 wrote to memory of 1872	340	mscorsvw.exe	50
PID 340 wrote to memory of 1872	340	mscorsvw.exe	50
PID 340 wrote to memory of 576	340	mscorsvw.exe	51
PID 340 wrote to memory of 576	340	mscorsvw.exe	51
PID 340 wrote to memory of 576	340	mscorsvw.exe	51
PID 340 wrote to memory of 576	340	mscorsvw.exe	51
PID 340 wrote to memory of 1960	340	mscorsvw.exe	52
PID 340 wrote to memory of 1960	340	mscorsvw.exe	52
PID 340 wrote to memory of 1960	340	mscorsvw.exe	52
PID 340 wrote to memory of 1960	340	mscorsvw.exe	52
PID 340 wrote to memory of 2540	340	mscorsvw.exe	53
PID 340 wrote to memory of 2540	340	mscorsvw.exe	53
PID 340 wrote to memory of 2540	340	mscorsvw.exe	53
PID 340 wrote to memory of 2540	340	mscorsvw.exe	53
PID 340 wrote to memory of 972	340	mscorsvw.exe	54
PID 340 wrote to memory of 972	340	mscorsvw.exe	54
PID 340 wrote to memory of 972	340	mscorsvw.exe	54
PID 340 wrote to memory of 972	340	mscorsvw.exe	54
PID 340 wrote to memory of 1084	340	mscorsvw.exe	55
PID 340 wrote to memory of 1084	340	mscorsvw.exe	55
PID 340 wrote to memory of 1084	340	mscorsvw.exe	55
PID 340 wrote to memory of 1084	340	mscorsvw.exe	55
PID 340 wrote to memory of 1780	340	mscorsvw.exe	56
PID 340 wrote to memory of 1780	340	mscorsvw.exe	56
PID 340 wrote to memory of 1780	340	mscorsvw.exe	56
PID 340 wrote to memory of 1780	340	mscorsvw.exe	56
PID 340 wrote to memory of 2152	340	mscorsvw.exe	57
PID 340 wrote to memory of 2152	340	mscorsvw.exe	57
PID 340 wrote to memory of 2152	340	mscorsvw.exe	57
PID 340 wrote to memory of 2152	340	mscorsvw.exe	57
PID 340 wrote to memory of 2008	340	mscorsvw.exe	58
PID 340 wrote to memory of 2008	340	mscorsvw.exe	58
PID 340 wrote to memory of 2008	340	mscorsvw.exe	58
PID 340 wrote to memory of 2008	340	mscorsvw.exe	58
PID 340 wrote to memory of 2464	340	mscorsvw.exe	59
PID 340 wrote to memory of 2464	340	mscorsvw.exe	59
PID 340 wrote to memory of 2464	340	mscorsvw.exe	59
PID 340 wrote to memory of 2464	340	mscorsvw.exe	59
PID 340 wrote to memory of 1032	340	mscorsvw.exe	60
PID 340 wrote to memory of 1032	340	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe
"C:\Users\Admin\AppData\Local\Temp\ed41f5bc59d98167e0eb9de4b7b7c9d81635d2ffb773e6e2298f0bd0de5fc121.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 1cc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 1d0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e8 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 270 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 280 -NGENProcess 1d0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 290 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 298 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a0 -NGENProcess 288 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 228 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 228 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 258 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1ac -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 274 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 27c -NGENProcess 274 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e0 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 228 -NGENProcess 284 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 230 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 288 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 228 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 230 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1e0 -NGENProcess 294 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 29c -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 228 -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 270 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 230 -NGENProcess 2a8 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2ac -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 298 -NGENProcess 2b4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 2b8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2bc -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 280 -NGENProcess 2c4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 2c8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2cc -NGENProcess 290 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2c4 -NGENProcess 290 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2a4 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 280 -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2dc -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2cc -NGENProcess 290 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 29c -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2ec -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d4 -NGENProcess 2f8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d8 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 300 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 30c -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2cc -NGENProcess 2e0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 314 -NGENProcess 2e0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2f0 -NGENProcess 318 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2cc -NGENProcess 2e0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2b4 -NGENProcess 320 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 324 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 324 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 308 -NGENProcess 330 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 314 -NGENProcess 334 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 324 -NGENProcess 338 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 33c -NGENProcess 334 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 300 -NGENProcess 340 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 344 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 334 -NGENProcess 348 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 340 -NGENProcess 34c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 344 -NGENProcess 350 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 354 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 358 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 334 -NGENProcess 35c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 360 -NGENProcess 358 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 340 -NGENProcess 368 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 340 -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 320 -NGENProcess 36c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 368 -NGENProcess 370 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 340 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 370 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 378 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 388 -NGENProcess 36c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 368 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 384 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 378 -NGENProcess 38c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 39c -NGENProcess 340 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 394 -NGENProcess 3a0 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a0 -NGENProcess 1a4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 36c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 394 -NGENProcess 3a8 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3ac -NGENProcess 36c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 370 -NGENProcess 3b0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 398 -NGENProcess 36c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 340 -NGENProcess 3b8 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 3a8 -NGENProcess 36c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 3c0 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 38c -NGENProcess 36c -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3c4 -NGENProcess 3a8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b4 -NGENProcess 3cc -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3d0 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3c8 -NGENProcess 3d4 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c4 -NGENProcess 3a8 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 398 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3e0 -NGENProcess 3a8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3e8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d8 -NGENProcess 3e4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3e4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3d0 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c0 -NGENProcess 3fc -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 43c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 468 -NGENProcess 454 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 468 -NGENProcess 448 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:2108

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2964

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2916

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2968

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
253eaf32e701f40c4c9357a5efccaaea

SHA1
f08b37bf44c49758aedffe25572d05e254bcbf7c

SHA256
3276e55cd82bb72e3f02bc59d1f955a60beda2ed8b4300959dc004a30050575f

SHA512
dbf83223fb42aaca4210df12c20bfba8aa8ebff68433429b3764fdcff3a586134a6838968780eed5ed24507332ae7075245478abf8eea533759bbe8d040209e9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
8df47c5c59a3a50d61decfbfe705e841

SHA1
b77f2c8a529ae2e5aa317ef25afe80809d5e8c92

SHA256
64561caebec6dee866ecec335cb331697111904fcebd2067264f5349f25e85d0

SHA512
fcc13aace7f830193932461e1f6255547d10142dd295943deb27b32da5fd83fa4ea2e5e2f490dfb7ddcdb573c31a32e99018735dc3c7f5e221f3502b304423d2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
010d08020b5e45d32e14711a9c4d7d32

SHA1
30c06d354dc5200e0d2e64a2e36e19420ebe92df

SHA256
7afb343fe49e8d89133c0744d092fba3c8fa2170700953776d5286cfda97786d

SHA512
42e67c2a582203dd05076283dbd86218eb134b77f6fef8422d5f08e22740ecabc6a4a0a66192dd6ddbcaa0ca42c4081b348b2e9547ed0011117aa00850ce3eba

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
2e8252b2ff4032f32ead3276bf23edf5

SHA1
0cff561ddf427332bd37e8c983cf030a050efd42

SHA256
7d3d2e75ee1801688b2874243bd68be5c0fafc84f0bea28d98c07b686ed02ace

SHA512
490d629f33c1e700d76dac42d57d7b41fd3ba47ad82aea37864e4dd6bb3e8f983db974848d4bfab26aa7b938c0b09934f7d63295cb5f23162f804f76cba47cc9

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
74760c834f8fbb2cea7bb5e30d4c33f1

SHA1
ffbc3094f1884013111bf72eb1ae757618351d44

SHA256
4db00d6c5ac54a3ab14985d0a4627bcfdefc497085c97d74ef112c73c3d7a15e

SHA512
6432211c0b9c02c28c4d056eb716ec4266a3fb103e118a4c0720c5a1f9c5e154cadc82a34edcbc3375673e9a37512109dca48981d7f7d9b996a5b0f3ff865ef9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
444fe9c95d0ada868ee858254dc21404

SHA1
5548087613df67d3cbee60face50e285bb4cba03

SHA256
2ed4af200a714d025b65f390e3207b50c45b08ba7b48538767eb4a60471770d8

SHA512
4a3a475be015e2b6b097c73bd7d809dd0ebb06fed8a0d9630b7ecdbb020503aaed5f820b1b689be622edd3f69debc55f3e82fed50e2ad609696eb86fe863cd5b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b0affcb25697ef16b2a049a12783fb0d

SHA1
51aa47eac8eba0ea859e14a5f1703692db6ce08e

SHA256
56d5cab4d41cf7bab09f557198fcb9f751fbb90a03941405e5c3382d0b3a774b

SHA512
7a9a5ec5f64f64ad40ca50ad567a05b037827530344ff0721a2802af458bad2d0fdb4921d2fdcab8b608da6afb4494de444f452f46dc43e4de2fd7fa9ae55aba

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b3cd00bdd03982657672d2f4471e44f1

SHA1
2bad4b289560d138cd4d9acfe4bd9bb2962bc745

SHA256
82a34896607353241e3bd588ebf25b4e9ef25fe8bb5d150175fb39ad57d1c11d

SHA512
a9906cc03184bb20ac4224cf877699b4dc66fe3183dab2151020c161b1dcd3c08150c169482f47901987272f2575a72c5ed015a8722ca83361831de718c0e7f1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e8f3f9c71e022e3704345d504cff25cb

SHA1
d51f85b5d3019363b8289f2cdc74b121286c5cf8

SHA256
0cf8d4da6938082fbd5398ad6c7880e7ae3a6a852c70b54c54f61a7560b4601f

SHA512
fa7c4b5f80d57ce6aa173b688fbe97d86f06598e008446d01c0fd9ec959c16b1a8dc7fd2d404810ed9077e5659dfcfb3e57a06783cdca355f819ee2ed4f16c55

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0aef9b8a91cd07892a1c23e8203a1254

SHA1
f5146660af0e82b96af6a184c2b4ef63c2839beb

SHA256
9998f3a62146184482cf6b894defec1551de283225cf86c41c85e66285242c14

SHA512
b1799f0ae48cebc5de0262f5749bb873393396368264092d9d7814273bdf619e17b6978c02699031cef3ca17e5dcbaa07714ee1f3187b6dd5979ce04589d1c2a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
783a96ae4a79d9ae0debedfa0158329d

SHA1
13d3df13922ed6dca1efd2a46199a3a93bf37e53

SHA256
1eff5102270d70aa3ad2bd1650ed2dc60236e659c7fa3fc34b96fd24bc126d6e

SHA512
ef33239825c36a70606b2ca9b3b891888cfb6fff13351f22dd6d8878459058a9b55dc8d929faea883b22b9d3cfde5de032967ee2769424e5277d09a51ee1e740

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
fd3a7f0d9c4b919c12eabe4087e4f63a

SHA1
571ea59731064ab6e050d16d282d5c99fde7e1d1

SHA256
f33ad53e9df2a5260297a8cdc7c453a3bf97aff499dca87b72485c464ca868b9

SHA512
97b99a2ca2ae3fc5b236527c1f3186eda30f2655ffcf8362e021b23450aacd92d73cc0983e6943b6179e0a2a3b4260e92fa952fdf3688b2b30748433ee97a0bc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
d332c59941529e1fcb9051824db8f28c

SHA1
4700170150b66c58e8df98f492656ed24dab22d3

SHA256
f4d7bee33dccad5b404c2ed776243f294dd80a534d71c68e87ed3c949c3e9d1c

SHA512
5abb8588ca5f3304bc80d6f84f1fc050b251d7664f4a83f3f710233a73792f96e66ea2231e6e267e5cdc82c6e5431e1f4007ac40f2c1f29fc76a7f84e7e5a3bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
1afd2505f2a94cd6b02078e21c61ee33

SHA1
6a20cb0e3d1e457d42ed38f8e159aaaa6adbb663

SHA256
002acf0479c08489d68d01ff82b554e60c0c24247666755c4d4a2aa4ccd29694

SHA512
78ad94f06c08e28f5e6ad9a3170ece81d942bf43d10b907f5b57f187ab6232c2862adf91af168d0d8165901882d69f662cbeb3d2efbf2058791c2984977ea30a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0d9cd7cad5612210fcc345474c4f8f69

SHA1
04d41009d8277b7eb312d1763906728bcb9cc649

SHA256
0f6d52fa73608749b2f94a10e2b5ce90639fce1401cce6734104d521d0e6f76a

SHA512
53774a65fd0aa3152bff1c7b402845072dbc1e437c6fdcdbc249162a021aebf624e839a2c065e03c4f7c89db4efba862786fbde4ed9082de00e05c84da283be2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
c0afa56f3f004247b3b3b4704e04722e

SHA1
0e8b63e79923d717ff274436e4353d9119929da5

SHA256
bfabafed716ed27c926bc0db28a84eb6ae4b872cabefd8dd0ef2fe8b58a3918e

SHA512
473b64d826057d57d6b1e3da975b77b18e8758ef92e657853aa2bbf328338e03f7d9247249e0ac83853b2979271261344ae10268bc6d085526c720ddb318d0f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8e0203a679ffae14e9f92b0be71d204a

SHA1
caa4f393a6a622bf406dde5b5ebbfee9ef3e21f6

SHA256
78af08130d6ec054108cea3be7c0745fb3d09f753de16b68d0788dd4af7ad7b6

SHA512
b35a7c08a2ada4a34db943fb84f1aff49128ec9fcf7f61d091314d0f7ea538f793177c80dd5695467663a8c8a2ec4e0640a7ceb99b7b26595e3ba813a8100a2f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
ed38feaac31ab55e0efc686586678fbf

SHA1
25f7585be1a2030727f0b44204e14128bfc9bc3d

SHA256
8f18aca26c726f4e62c9ae40914fb2ad08e0d91f523658cd819133433b518697

SHA512
7e6ba386dc545c55d95cdaeab1c6c2a0c36fe82e121426bf2b7720f3a02ea4fd5dc267640f0204df26ff825d7d26671ad136117da3ea938368be8f28bea895c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
fae42473d4c4a9d5b48e0539b4f3957d

SHA1
64bb3fca1acebc4d10edda30414dae81fbe318d9

SHA256
2aadc197e6ea90689be3a98384565015e9e1b0b96f82e58f266a7e198f0d590b

SHA512
1a307d45e7ea047e411c39e7cc4e0713570f2b5a92d1a4e7ea10d81e0c73c016cc197d2c84be0d743151b0f367a68159312692d4165cb2ba651a5b651bb45246

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
545524a2f9b907d7726925a99bbed533

SHA1
559ad245ceec8c1fd9284ed9d5e6cd28d477273c

SHA256
fd76ea599922e6af5656b13cbc9c119fffc38728375b5f915bceb714bc3937df

SHA512
5893d0ff10a6e9fcc1a55d2bcd9498d3f07bf5e683e49296ef65e45d7adf36dccc2053327760b9d240b582c109313e751e8e1bf1f14ba1daf898a9b6c694de61

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
318b2a6312dc4e4bbdc79cc9a91ca287

SHA1
2a0f857841be766c7bbaeff02ec0598d9544791b

SHA256
21186f91df7102b01d58563113b808b848f45902fd9adf752633a7db23bbb6b7

SHA512
4ac99b0ee545e67dd5875b4ad462654b9a43227080a815577951c3bff52e0828c66381ee9b2a191c706e8a549f05a230100038982c1ec2b6d00c6a222773c58c

Download Submit
C:\Windows\Temp\Cab251D.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar2696.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3e56638f8ad34d8652cf514c804f277d\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
b8294d3f396ac05e6a94291a0b5ceea1

SHA1
1fdbf4fb99a1afeb7a22d9e574fc863e58a75e25

SHA256
dcc11a365e76368f77c3ad38138970e51ff0ec823d3b21437e9662faf9dfcf52

SHA512
ec5d47ebd7f555e287cfb7a3206f0d4b0648f35ea550a05500908b5b86bf72469974e7e3199eb62511867dacaf42e8f62fbaaebfe3413c1d3f0f6b7f7e775670

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c892f196481c5bb1348fb17f181e5837\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
955125c0f067846c86e74e8abc6d7563

SHA1
bb01649f256c74f5f9d0e73f9dc0b3e53db3cab6

SHA256
1a6bff76400684f9670325349ca602fa37c4647e08d2bf1e8280bdb659f1d97c

SHA512
68d2e426326ffc43c0c5a8db1d9ed6c804a1dc89420889cedca3b465715f34dbb267ed51c5fc354387ab7746bf362e8799c7622a038f03ebac6ad9037c756cc9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d43c7f750b31be3bf4c71e342792e761\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
177f87616e1eca707ca1aefc8f7029a1

SHA1
7cd8d029bc55d79ecd4c5d65c05a4efe8cf65514

SHA256
58155237e01b8238b2ac0d291d41e8335e69f8cb8ac92a00229eb2b13172c74e

SHA512
c5c0fd77bf9c66d997c9f1a5496eae2f9dc1e6fa26f87aa6f9425445d39bd353307de5c2a95c79b39556eeaa8fa4add711551a47779fbf5c1894395bdec39faf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e7a4ee3a106a5d778297ca7f6aaf4f04\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
15bfe37697fd1b57a1e98adb5203573d

SHA1
95618c0990963d9f7ac7219fcf45df56ffe7c914

SHA256
3538000f973e489822d715e798eb45023d05b4b17f4123c0a5e91f76439f6d8c

SHA512
a067fbd4facce9070cd95277e0ea66ddc397b5d07f80d108d5889165c7e1b584f686257cda2dd6e76a23238306047089db890fca2463b3720b18e099fbde5e05

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
5ec48f19dc2499486f43df1d92ee51ed

SHA1
275a70cf52dc9d59b079202d76f85f80d6cb1eab

SHA256
c8eebf5a9a734b8292a6a735dc7ec90a2a9bd39bf87b9d32baba5ebcf2b12b42

SHA512
4e8abbe6d056dd5ba9fe589aad601a526a11ab7626fded1b817a0a3a8eeee5a0f7b9fcadb4e146156ad90987dc7b11efecdd995126159ee4e10ca6816cc813e0

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
449a8eb534b837e04d3017f33266decd

SHA1
7b8365b958df858c6abf971a77a7ba374ad45bc9

SHA256
3f6cc9ef60881801b16ab509ec03e13e06c7449754da53fb7a38f71d5f19d498

SHA512
6ea3e3501eab20da11055e5243ab4044e8f46e34887ea1d5e6dc5bff4c92c5a9b63ff0087055492f1e3eb32ee976398e16039f266a03549243c58d9b2882668e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
5ba94ce32c250aee5ad2c5817883b68b

SHA1
b42e99b3f544160f11a10b7d296deb1a83dc1648

SHA256
65c5bb7b653419bff060a148e79f4e27aba3ba3eebe4cc9b45644c65ce58c227

SHA512
382ca478bf5b59d576fb9e421e7d6cd031d4a7b889fcef3a25dcef84f670ec39d2afde0f0d8ce364fbd1b0c99a7e5024cfdf4f27e985e5faf724d40742f66d54

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
f1250090813e6405259fbcbcbd0928c4

SHA1
a90af68a3e432b67af4e84a717238852e93c72f5

SHA256
a1c8ed055f9f35e6297ff7dded53b92d4b558ede0b7a4fe82976d28622543a90

SHA512
3776e653a3181e3f5e0b26f850752638f6325ddd0ee14aa798b4ab0f510043eef8e25a81d2e0b7a9b13ea1b66434172ba1baeb14b190b3db377f286f9837cd9b

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
e0935b32d0e4369a066a3ed1a464f7fb

SHA1
93b51eef8591be59f8fd9d2c64577657cf41ab27

SHA256
511f40b37b019e77e98d4d3aceb3053caf3360ecc955f0374a3a96821c38959e

SHA512
f0e5932a4d676329e148fc1f5a12b7db33b7be085250f9877fa2f847bd3e0a3b7539769fd783ff92cb7cce0335b5c38173d96ea14655ac5e2b489c359e04daac

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5b8365cc10ee5dc02a6184d8c8c8a283

SHA1
d6be6a946385efa6869cf3313ade654392b897df

SHA256
a72496474c1087847907872d81e716089409eb51fd5c71ac54455395b56edf90

SHA512
21b9ba174eefc058bfd7a46e444b70589315f046634a65b73a1bfc4738e67c9024aea34b72063edd624fb9b044e16b33f1e383e035172d68418717aa50577a34

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
c7b6834f478d8ff4252a9c393160feda

SHA1
a6a0105ee4ec08094aa0cb0d85aa29dec9beddd9

SHA256
d88ca4176fe6a06abe2221b0ed4e6638550e743148ccf4df20023ae4b211d6ed

SHA512
36a63dabde48a7fc77b65d42f9f84a4f09bf738ab9f0a458569c076d6727760f1d5bb905679f27a9c6b2729b15e9196a326915653045d6a4de35791e001a0dbf

Download Submit
memory/340-119-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/340-272-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/340-120-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/340-125-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1300-291-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-289-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-325-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1300-287-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1300-404-0x0000000000D80000-0x0000000000E00000-memory.dmp

Filesize
512KB

Download
memory/1300-360-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-343-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/1352-173-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1352-181-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1352-180-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1352-174-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-314-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1428-148-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1428-111-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1496-145-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1496-137-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1496-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1496-139-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1624-339-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1624-352-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1624-353-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1624-349-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-344-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-329-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1800-410-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1800-411-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/1800-429-0x0000000073F68000-0x0000000073F7D000-memory.dmp

Filesize
84KB

Download
memory/2008-138-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2008-0-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2008-6-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2008-270-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2008-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2144-324-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2144-189-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2144-192-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2144-273-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2168-372-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2168-403-0x0000000072C10000-0x00000000732FE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-369-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2320-160-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2320-186-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2320-293-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2320-158-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2320-166-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/2320-182-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2320-183-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2384-340-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2384-323-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-341-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2384-342-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-315-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2384-317-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2484-300-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2484-304-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2484-368-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2788-96-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2788-154-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2788-97-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2788-103-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2916-389-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2916-376-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2916-385-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2916-320-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2916-390-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2924-85-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2924-172-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2964-277-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2964-286-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2964-337-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2968-383-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2968-378-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2984-157-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2984-47-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2984-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2984-12-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download