8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
Size

1.8MB
MD5

dab7962079fb26ab3a8c849ce49e1088
SHA1

b05354ffa9f3b97626fb4dcad317329d3df1baf0
SHA256

8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac
SHA512

f96a24842168c912547cde6f56daac89abc051b476d036211d6011c8064769a8f40fcec1b5ce155720e68a7d4f05ecdf4277027acae0ecb5b837c7eeceb7a39e
SSDEEP

49152:fKJ0WR7AFPyyiSruXKpk3WFDL9zxnSf5UbU62FAQ228QKl:fKlBAFPydSS6W6X9lnyqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2936	alg.exe
340	aspnet_state.exe
2384	mscorsvw.exe
1892	mscorsvw.exe
1356	mscorsvw.exe
2068	mscorsvw.exe
584	ehRecvr.exe
2364	ehsched.exe
1532	elevation_service.exe
1652	IEEtwCollector.exe
1424	GROOVE.EXE
2976	maintenanceservice.exe
2700	msdtc.exe
2452	msiexec.exe
1568	OSE.EXE
308	OSPPSVC.EXE
1364	perfhost.exe
2492	locator.exe
844	snmptrap.exe
2632	vds.exe
3060	vssvc.exe
2540	wbengine.exe
2432	WmiApSrv.exe
1844	wmpnetwk.exe
1616	SearchIndexer.exe
1600	dllhost.exe
1460	mscorsvw.exe
1540	mscorsvw.exe
1580	mscorsvw.exe
2960	mscorsvw.exe
1676	mscorsvw.exe
2328	mscorsvw.exe
2140	mscorsvw.exe
2436	mscorsvw.exe
1540	mscorsvw.exe
2448	mscorsvw.exe
884	mscorsvw.exe
2920	mscorsvw.exe
1368	mscorsvw.exe
2444	mscorsvw.exe
468	mscorsvw.exe
808	mscorsvw.exe
2224	mscorsvw.exe
1748	mscorsvw.exe
2524	mscorsvw.exe
2324	mscorsvw.exe
2140	mscorsvw.exe
2448	mscorsvw.exe
748	mscorsvw.exe
2364	mscorsvw.exe
2092	mscorsvw.exe
1896	mscorsvw.exe
2436	mscorsvw.exe
888	mscorsvw.exe
1888	mscorsvw.exe
908	mscorsvw.exe
2836	mscorsvw.exe
3040	mscorsvw.exe
2096	mscorsvw.exe
1580	mscorsvw.exe
2812	mscorsvw.exe
1228	mscorsvw.exe
1264	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2452	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
752	Process not Found
480	Process not Found
908	mscorsvw.exe
908	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
1228	mscorsvw.exe
1228	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2876	mscorsvw.exe
2876	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2304	mscorsvw.exe
2304	mscorsvw.exe
1376	mscorsvw.exe
1376	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
1740	mscorsvw.exe
1740	mscorsvw.exe
2472	mscorsvw.exe
2472	mscorsvw.exe
2272	mscorsvw.exe
2272	mscorsvw.exe
2200	mscorsvw.exe
2200	mscorsvw.exe
1228	mscorsvw.exe
1228	mscorsvw.exe
2836	mscorsvw.exe
2836	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
1464	mscorsvw.exe
1464	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
1204	mscorsvw.exe
1204	mscorsvw.exe
1100	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ab51a021bfe435d8.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\locator.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\goopdateres_bg.dll	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\goopdateres_iw.dll	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\GoogleUpdate.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\goopdateres_ja.dll	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\goopdateres_te.dll	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\goopdateres_is.dll	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\GoogleUpdateOnDemand.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\goopdateres_fa.dll	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM122A.tmp\GoogleUpdateSetup.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP905D.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF5C.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9888.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8DDE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB00D.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0d5e7001e95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003042fd001e95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
748	ehRec.exe
340	aspnet_state.exe
340	aspnet_state.exe
340	aspnet_state.exe
340	aspnet_state.exe
340	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1776	8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: 33	1464	EhTray.exe
Token: SeIncBasePriorityPrivilege	1464	EhTray.exe
Token: SeDebugPrivilege	748	ehRec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeSecurityPrivilege	2452	msiexec.exe
Token: 33	1464	EhTray.exe
Token: SeIncBasePriorityPrivilege	1464	EhTray.exe
Token: SeBackupPrivilege	3060	vssvc.exe
Token: SeRestorePrivilege	3060	vssvc.exe
Token: SeAuditPrivilege	3060	vssvc.exe
Token: SeBackupPrivilege	2540	wbengine.exe
Token: SeRestorePrivilege	2540	wbengine.exe
Token: SeSecurityPrivilege	2540	wbengine.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: 33	1844	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1844	wmpnetwk.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: SeManageVolumePrivilege	1616	SearchIndexer.exe
Token: 33	1616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1616	SearchIndexer.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeDebugPrivilege	340	aspnet_state.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe
Token: SeShutdownPrivilege	1356	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1464	EhTray.exe
1464	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1464	EhTray.exe
1464	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe
2136	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1460	2068	mscorsvw.exe	57
PID 2068 wrote to memory of 1460	2068	mscorsvw.exe	57
PID 2068 wrote to memory of 1460	2068	mscorsvw.exe	57
PID 1616 wrote to memory of 2136	1616	SearchIndexer.exe	58
PID 1616 wrote to memory of 2136	1616	SearchIndexer.exe	58
PID 1616 wrote to memory of 2136	1616	SearchIndexer.exe	58
PID 1616 wrote to memory of 1668	1616	SearchIndexer.exe	59
PID 1616 wrote to memory of 1668	1616	SearchIndexer.exe	59
PID 1616 wrote to memory of 1668	1616	SearchIndexer.exe	59
PID 2068 wrote to memory of 1540	2068	mscorsvw.exe	67
PID 2068 wrote to memory of 1540	2068	mscorsvw.exe	67
PID 2068 wrote to memory of 1540	2068	mscorsvw.exe	67
PID 1356 wrote to memory of 1580	1356	mscorsvw.exe	61
PID 1356 wrote to memory of 1580	1356	mscorsvw.exe	61
PID 1356 wrote to memory of 1580	1356	mscorsvw.exe	61
PID 1356 wrote to memory of 1580	1356	mscorsvw.exe	61
PID 1356 wrote to memory of 2960	1356	mscorsvw.exe	62
PID 1356 wrote to memory of 2960	1356	mscorsvw.exe	62
PID 1356 wrote to memory of 2960	1356	mscorsvw.exe	62
PID 1356 wrote to memory of 2960	1356	mscorsvw.exe	62
PID 1356 wrote to memory of 1676	1356	mscorsvw.exe	63
PID 1356 wrote to memory of 1676	1356	mscorsvw.exe	63
PID 1356 wrote to memory of 1676	1356	mscorsvw.exe	63
PID 1356 wrote to memory of 1676	1356	mscorsvw.exe	63
PID 1356 wrote to memory of 2328	1356	mscorsvw.exe	64
PID 1356 wrote to memory of 2328	1356	mscorsvw.exe	64
PID 1356 wrote to memory of 2328	1356	mscorsvw.exe	64
PID 1356 wrote to memory of 2328	1356	mscorsvw.exe	64
PID 1356 wrote to memory of 2140	1356	mscorsvw.exe	65
PID 1356 wrote to memory of 2140	1356	mscorsvw.exe	65
PID 1356 wrote to memory of 2140	1356	mscorsvw.exe	65
PID 1356 wrote to memory of 2140	1356	mscorsvw.exe	65
PID 1356 wrote to memory of 2436	1356	mscorsvw.exe	66
PID 1356 wrote to memory of 2436	1356	mscorsvw.exe	66
PID 1356 wrote to memory of 2436	1356	mscorsvw.exe	66
PID 1356 wrote to memory of 2436	1356	mscorsvw.exe	66
PID 1356 wrote to memory of 1540	1356	mscorsvw.exe	67
PID 1356 wrote to memory of 1540	1356	mscorsvw.exe	67
PID 1356 wrote to memory of 1540	1356	mscorsvw.exe	67
PID 1356 wrote to memory of 1540	1356	mscorsvw.exe	67
PID 1356 wrote to memory of 2448	1356	mscorsvw.exe	68
PID 1356 wrote to memory of 2448	1356	mscorsvw.exe	68
PID 1356 wrote to memory of 2448	1356	mscorsvw.exe	68
PID 1356 wrote to memory of 2448	1356	mscorsvw.exe	68
PID 1356 wrote to memory of 884	1356	mscorsvw.exe	69
PID 1356 wrote to memory of 884	1356	mscorsvw.exe	69
PID 1356 wrote to memory of 884	1356	mscorsvw.exe	69
PID 1356 wrote to memory of 884	1356	mscorsvw.exe	69
PID 1356 wrote to memory of 2920	1356	mscorsvw.exe	70
PID 1356 wrote to memory of 2920	1356	mscorsvw.exe	70
PID 1356 wrote to memory of 2920	1356	mscorsvw.exe	70
PID 1356 wrote to memory of 2920	1356	mscorsvw.exe	70
PID 1356 wrote to memory of 1368	1356	mscorsvw.exe	71
PID 1356 wrote to memory of 1368	1356	mscorsvw.exe	71
PID 1356 wrote to memory of 1368	1356	mscorsvw.exe	71
PID 1356 wrote to memory of 1368	1356	mscorsvw.exe	71
PID 1356 wrote to memory of 2444	1356	mscorsvw.exe	72
PID 1356 wrote to memory of 2444	1356	mscorsvw.exe	72
PID 1356 wrote to memory of 2444	1356	mscorsvw.exe	72
PID 1356 wrote to memory of 2444	1356	mscorsvw.exe	72
PID 1356 wrote to memory of 468	1356	mscorsvw.exe	73
PID 1356 wrote to memory of 468	1356	mscorsvw.exe	73
PID 1356 wrote to memory of 468	1356	mscorsvw.exe	73
PID 1356 wrote to memory of 468	1356	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe
"C:\Users\Admin\AppData\Local\Temp\8abd31e1b8ecb09882eb8aa5c7258cb5cccb807f7e51f1a984acb10a0b4b63ac.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 248 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 240 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 284 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 2a0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 2a4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 274 -NGENProcess 2a0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 284 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 294 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 290 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 234 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1ac -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 26c -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ac -NGENProcess 278 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 258 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 280 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 23c -NGENProcess 280 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 284 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 23c -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 294 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 26c -NGENProcess 29c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 29c -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 26c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 2b0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 284 -NGENProcess 2b8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 2bc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 27c -NGENProcess 2c4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2c4 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 29c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d0 -NGENProcess 2b4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 27c -NGENProcess 2d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 2dc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 298 -NGENProcess 2e4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 27c -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 2e8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f4 -NGENProcess 27c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 298 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2c8 -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2ec -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 27c -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 284 -NGENProcess 2d8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 27c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 318 -NGENProcess 2e4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2d8 -NGENProcess 31c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2fc -NGENProcess 320 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 324 -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 318 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2d8 -NGENProcess 334 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 318 -NGENProcess 33c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2e4 -NGENProcess 338 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 284 -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 328 -NGENProcess 348 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 338 -NGENProcess 34c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 344 -NGENProcess 350 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 348 -NGENProcess 354 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 34c -NGENProcess 358 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 350 -NGENProcess 35c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 334 -NGENProcess 360 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 358 -NGENProcess 364 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 344 -NGENProcess 360 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 360 -NGENProcess 338 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 350 -NGENProcess 338 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 35c -NGENProcess 34c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 36c -NGENProcess 338 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 378 -NGENProcess 350 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 364 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 358 -NGENProcess 350 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 388 -NGENProcess 378 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 338 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 358 -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 394 -NGENProcess 338 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 378 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 350 -NGENProcess 358 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 38c -NGENProcess 398 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 394 -NGENProcess 3a4 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 35c -NGENProcess 3a8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 398 -NGENProcess 3ac -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3a4 -NGENProcess 3b0 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a8 -NGENProcess 3b4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 380 -NGENProcess 3bc -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 398 -NGENProcess 3c0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 35c -NGENProcess 3bc -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3c8 -NGENProcess 380 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 398 -NGENProcess 3d0 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a0 -NGENProcess 380 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3a0 -NGENProcess 398 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b8 -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 380 -NGENProcess 3e0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 398 -NGENProcess 3e4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3b0 -NGENProcess 3e8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 1f4 -NGENProcess 3a0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3e0 -NGENProcess 380 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d0 -NGENProcess 3a0 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 398 -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 1f4 -NGENProcess 3f0 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3a0 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3ec -NGENProcess 3f8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 380 -NGENProcess 3f4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3b0 -NGENProcess 404 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3f4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3fc -NGENProcess 40c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 380 -NGENProcess 410 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 414 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3a0 -NGENProcess 410 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f0 -NGENProcess 41c -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3f8 -NGENProcess 420 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 424 -NGENProcess 41c -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 398 -NGENProcess 42c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 398 -NGENProcess 428 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3f0 -NGENProcess 42c -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 410 -NGENProcess 380 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 430 -NGENProcess 3f0 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 420 -NGENProcess 434 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 440 -NGENProcess 380 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 430 -NGENProcess 444 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 430 -NGENProcess 40c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 3f0 -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 434 -NGENProcess 438 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 430 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1872

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:584

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1568

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2136
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:1668

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
73d7eddf2a5de6f574fa988ca185c5f0

SHA1
0edb385f831d74ac6fdf863906c9c1e50bd4e080

SHA256
8700c29c3539b6137db146be972395e5b2260f72df0c0e90786703b873fd501d

SHA512
eaeade4a913798ce19c431aaec078b2385634eede0a9248628aba2329a6c33db5643099af071f5530c95d987743b72d755575e8890b3b6195d8660ff9449304c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
05aa172d618ca30e057bb2b9a68dc616

SHA1
16c8f02941bf0690653e02fbefcfde0b64b8b3e1

SHA256
9f6d0a35e017613fba49210a07a44797d5ac565b6fe262152d1a77015f02916d

SHA512
576ffd1fcbe9e05f0294763a15c21891110a953dbc3d702e9dc01530be959aba696b8b349c08adebc6eda67445198c2bc5ee9a341a034cfe311f88b41352cb69

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
a57aff9566da1ab3ffbd6041ed7061cf

SHA1
fc6eb3e15b1f142daf21bcd789b87b9ef2d3c40e

SHA256
d3cab4a0ae87fe77cdc969e56a6ca3d9186c324e68c5f23fbaa1899c991945ef

SHA512
ce4df544f8155e2c8461ee96d541cf9ff4e9a39bbe3506331a3ddb94d448a8c1f9dca0515088b20c4b9165182d15bbc7bd22607ace3106bc8713dd3667535ac6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
cff5cb67c58176aa8249de4e9a1200cc

SHA1
eec1d5dd4d29b8eec888e783e5d50fb94e7937a7

SHA256
b73953711a7b6d6d0d27fc7f244ce3f42b4a925bec55d9068e77ac29716e2c2e

SHA512
6232c32ea917dfd3409a3d780a5c9581a3c94e53fd2220b90001461685068c5157d2aaba6f10d67c80f8c38ec7a20c4fc577a8853952d99f963337457fa71861

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
88a1ebc4ca38654722b32d6a0567aab2

SHA1
27f520bf8827ddb94a6f33358b15290323221ee0

SHA256
e01e470ba8cd3993fa2dcbdfd30e71db784158a2b5f55a68f855cf7d242ee972

SHA512
656f0068769c22bf47095ddd977662a600b5d8e07d70d9f8d818a2cbda5cebb98f11000c2741ee25d1c472138d513912245063d6064bd34d7be23485ccea6b48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
acffa4f118ab58f5bc61597d076df35c

SHA1
2fa04c1fbd7a208f6c8b9d227ded6db4aa825d2f

SHA256
79ee561b3b35ff20cc304e39bba35aaa92c537343e4a8a11c02a790deacedbff

SHA512
2c6b6a89f9ee15317ea7c90332910cce29bd313c9208c2219cda667797b04f02d272610a06a96e479516c1d54606a7dedbc5770b969950889e70f7c8dec6f0f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4688401a9319a5b214a054ebc1234198

SHA1
a54d381130fe37e202a95076ed20e50d80a2a243

SHA256
727cf0aabedc665383e555e7d63e0ea721cb2cb7114a210ac9d0c0f6a4504ca7

SHA512
f993c6874d42c609cebc446e072ee88d320ae8b3dc2d3722d97e69d474535467a710a63896760359cc16ab713ddf214873fef093dda24f48113514b36cdf4613

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ef3393705eb2a94fba58f7dfac7e9ea6

SHA1
1a42086421a65a65e88f3d075baa35bb8a069192

SHA256
5db0af4ef367759e4dbf3acf6365a517413edd96df81e873fa5218008dd50cbb

SHA512
12fb4c3434621af74b8135b46ac22ed40cfbc266439b68eb6b1a30b88e59054247f23727215c17bc40d4da4ce530c1fa225dec8c3cd9e6df62e25097d58409b2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
05107ae26bb264c6f133375246c9b1b7

SHA1
3aa321a9e7cc3de9e923f2d497e9647af0629673

SHA256
c315908d94ff4319c68e34d28649f35fae5695553baa65c9f695ac6fa470abd6

SHA512
e036378e4ebae0c05609e17b1c56413350f685f2784ed25a33b462a908f1c6ec3acca0c36a0ee692e3087db106af6862cec533b6352ebec95ddc6428bbc7f01f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5c124be6c92bfed3ea2564fb190f32bc

SHA1
7eca887e5219bcd3befd8ba1672fcef4cf8ff7d5

SHA256
c10ce40abf139eb7d62559f1c5a0c2373d0af0466feb19f295b8aa3d8b12b22c

SHA512
af94c7f27bf8ff6bde7c8aca3d1e1b39121c4a72f2adc37d9c7667ddcf08508b7ea5ef8d92d6e6779a1ef8c6ae19d29421f5213f43d67621f4c33c281e221300

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d74c9a4245990a6594700497fe32bdb1

SHA1
821313556c2f6d8877539bde8a31d53fc77e5a67

SHA256
21c77f3ff6fc1bb9b713f82210fdc15dae53ea281ebdb723cb35f2ba9f93d601

SHA512
9b6931007f768726391e885f62310f7575f161deb5968abbcdf17fa0f5f3e6589758a8061c05bf5f69a68ffb71f9b4a8d49aa84b7cef103a13e24bd8812f62fd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
add43d3ef7b713adb64678fa64841173

SHA1
a3f6e8baa13b6a1a78801f360c59b6f25a62ecf4

SHA256
2a46752a889856d6a4b1f045b198b89340b82083206891c4db5fdb4bb7a33cc4

SHA512
74b205d1b75492cf819f4d14053a8f9a8b3ae271513526421ebbca6a8cd3025aa7ba48c361190e9963389f9902478b85dc27092b6dc80f38e64645791340949f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
4a8111e8fb8b038043238d6b1a7bfeff

SHA1
391e698e4cb057dca6fc2548f1ca12c9441cf4df

SHA256
14c89b2303bd61b350b0e89924aeea5adaf6b0c8f256f19d1fd7bddcef8540df

SHA512
315527da87b5e91870618519de2cf281f0d876673fdda49a2d8adc7b386b965e967a61ff221dc1ae1be9f77b7b6f1980924e18d274ca153918098984be5de24d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8e6124b8a9412e8899f18425c4e6825c

SHA1
a78a282b0956386a4b8edcb1e4f0dc98c980913a

SHA256
8b56514008dd8907137843537455e42d8803b93432d59d5ae5fcb9bdeb4fb0dc

SHA512
931d7e7ce48b99bc32cc69f02c2985882acb41114fb4c8b4ea73efb745899a351965b4cc31949844760ae6a7e73531ced562f5c980bb07e74d6649f4ecc9a1ac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
38056198ad459a8d80f81413a5cf5e65

SHA1
ab790e4c211c801ad5a5a4cf2991975c67ec26fc

SHA256
942c14f28ce7a1cb7ca6945f3559ddd1e426a9ab98f8ab86e0185e418648af87

SHA512
8bddcb3f1491569080640258fc71a4b1ccc4a3cdd3ff83a897a3d958285e31761d9bc16c6d6ef0fcfd4735566ff1c6acc041d561450503d3b9e4ab7bd93f7fa0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a32ab3a7a73298302d845307f4f284cc

SHA1
118efdfbfcf7e2a515da844ab9d2727863d28aa7

SHA256
968e2e87c04549b4cf007f6b079250268312de8360ec0697116d0290bbfca911

SHA512
1cd96a820e523f00f842b9664bb1f9c691303f8ac56048dc517c416c3727305c4043bfb3bce6c9ea6358c6efc3e82b966fef5884ab06bc38f6a27e9d3bcac6d0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
e68704c5a72e9f5b18693b6fdc78f43b

SHA1
f0d85bc42e3b386fbf64da675c0c1e629999a2d3

SHA256
91a2aa948440084ddbd7bdd06561fb7fb2de53b43a56546a87c5a9f13a051f14

SHA512
f56f31a2b61ee4e8c5cade4493c5b58cd942a6d2aad9edf6424d1a70f90ee352f0776aa42b28c4f7771bcccc5adeb22d9f57051a3ca05d76318353299efee388

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
307728512ee8813ddbd392b84e9a5000

SHA1
363c763aec9385835f58a4238b3700d81ba79c73

SHA256
e3a8531fa68d302a820c1388db40c8bf13a941ec3b78487164d85363a6dabf40

SHA512
b7a4a531180a94cef63b7c778113b5bb48d498df450c320ab05a513dcf2c7f61fb7a0c34e38f73ef431d07e30cd0e164b56bdfe16288e78823d9673d2fd834b8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
b0aaf566195552263f0831258cd566c5

SHA1
1acb9c3ba608bc5c6bc403023e7f50fc9182e009

SHA256
058ff8f91f94e1f1057effba2755f327f37faad9790fad843a328fa7bf9632c0

SHA512
8bc03b33f0f82b68e9aa9aafbb56a404d3c186abb68e6ac0a7529eb9f4c0b9371f616a84f2f43f8ee7f4359c98180db21f05ad1ff18c4dd98dbfa24fb0f7c4d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
824c799d45c3fa3b7e0c6c570a89c93c

SHA1
5aebf6e38c7ec8dc27118118d01f589c565ddbc5

SHA256
c54300f242aac37706ddef813643987e1503701c64777c7bf2caf3b59837dd6b

SHA512
1d1147606abe85502f6ea622ce85401671b7387d61950da76ab052d7124b715fd7cc07384a5a8801fe1d8741040ce1f8efbe312f0642b4a0b51ba3bf2e16ef5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
92f1b8fed9240ce63b6d053b85fa8eab

SHA1
8791bf780234162d4bd86de7f83c29e6beb47aea

SHA256
44eb53b64e2f3ac0911024cd2dcd1cc1e548b35db80ebc3fa2c1ac8ac31a49fe

SHA512
82500d2a5c20a66e026380501d7b98a2e93e5bffe42572f6040994ee67870c305cf8119357d73b6281510a8b954aa0fb4a9332af997d9f6d5396fd5bc21a32d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
652715ef76606ae64f1d70a63a59b7ce

SHA1
7249732ed747dc23a06b476f7c1f001cb890db6f

SHA256
08ebd3273aeb198450b09080cabe87ada1ac4b9f9653bdcc07d98fa6b9c843c3

SHA512
3c896c14a624620f0d7d5095ec3cc377c92a8d4bfdc4f948981b60849b4c8134de2f394270704b23643c0020e53db6c03d270b728d116fcaa68c6b91400566e8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
151f21ff9ccb0bcc47a18612da0f8850

SHA1
1ff25c9c63daa4050fbe34a7fcec13f74ce2eefa

SHA256
d0d5f7a886bec2d4c96dd53d56dc87acd98afd32bba95e5f64dcef6dd9558aec

SHA512
9da81089268bf4a5e7035b441ff5beafc473cd9143150ac627eac6274fe130fb33a25fc61f963bf2df6da63200f4ec53a2895fa2c1010ffedcd160021cafaca8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
8ac50ba29afb5edd6cafa771b3e2b7e8

SHA1
3c0a6b1a399346dc9b97331bf872fae01d1dca44

SHA256
6a01938e099e539b7e2dda3165e5fa5dd1fd8ee72db9be8a64c9a24e7a12e8b7

SHA512
f4f06a3dd9833b1b45a1a42c8d896927a9b26c8e963cff5633e6a6e540dc053e302349352d1873d27c4fc55231a9864aa35e1bb50af3e543487334efb83b02d3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
77d9e156a406c26f808a12fea7f28413

SHA1
0f9b448e9bf281c0e1e2daba23f603b6f2a23c92

SHA256
0b0c9177061494ab97bf9e27bdda50c2b9039496dc210f8466761fca2aabca8f

SHA512
379cb45ffc193167be144f7ddeeb9f9df15f2d903c6e0e1c8b4c74e1291ebfb5aaeadfb8c2c898740a98e23b58f553d1b84b3fc6fe2df2a6bc1755e40d23e270

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
765d771f1e961383194cf8e5be2ddebc

SHA1
8783de6b20e78bf8f94b0f8c4b98225c2654cec7

SHA256
48ebca9bdda7884e6a28f4ab3c296f554ff3b4e0d8762d16c5ff72b4be1eab93

SHA512
e89275e55678e9a9f05985604d78e3eb0c99bb88e72b9ff229b6a1a675d80a70d19d59e0bbe7ca1341ae2923f3390dcf0558ef4600eea5607c5f2b57975e0f13

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e1885de977271284c9d1dee4e9eb61e0

SHA1
56d54805bac9482b836189a97dbc7141782123eb

SHA256
e51fedfa2d0747b15c9dcb46e5b93894c6af7f4d65c0dac7984ddbdc49d26107

SHA512
ecf6578d5544e9341428393ba524219dc9f56aef59938069dcecf39c5704b2594a28525f89b770fe0f9527d6cff44c5828166acf8f3f2829a2bcd36ebf987bcb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
c38046212c13163df15d1c1dd0f290e5

SHA1
845f2e55d5b82f7b445d82720354d2e083ea715d

SHA256
1b53704ec6f51c283c7f390b21e4ba8fa60f426c50ccd9e953d5311dc784bb68

SHA512
6b4f8c0a50bc855c68ffdaae4041ac2aacf69f8ee6a79e42d72ecc7a99fe797ce97c92688a5572a91336fe87ce245ae17e0ee325897bf66a84e56de1ec7e32a3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
095978bada2a3cad188344f85487ebb4

SHA1
785257668d8359878c3cc37055d8b095b49fbd0e

SHA256
aa0d670612ce9e931d47feea59576849d359f38a78a648f672f3685e5b1e10c6

SHA512
51d2f7d04149a5456010561a64a88244491e07c653526a8ea92b989b01f5970540cf2773caa1515873e0bb222367cd253638d18a543a1a64d14cd1579c1d7d4c

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
4933648a6c5fb839cb495c4c769c4181

SHA1
c115539d6536626338e1ba023aa4752a4e48c4d3

SHA256
c0da13036724811710adb11a2b9c52eeaad65618e998f9acdf1c229bfe056bf8

SHA512
4f43d6c66636ffc21059ae74726c71d42409e7c316732566e01208fe2130acd956218707520c096dafd7ddb4e979d99df63278869991b5940d4fff7d0a45cb9c

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
c9763873829231f877739d5d0e900e64

SHA1
0a05050a26fcabb5db74fbce1252429295163cf7

SHA256
4c3e1f5cb4c76aa80db5f66a55842c1add4122ac363fe8224fdebf9a3592e94d

SHA512
1437f46f6c1c6dde3390e983b1a938f7f1ecea48eefa86b223f2a5752c967124822ce6b7040002a200685eeea9e98e3be005cc212a2a242414262740a60a9e75

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8b01aef130e7d02a1009e5a87fce2b3f

SHA1
befbc993e2fedc20abe7a1d50564bc649ac5244b

SHA256
7f24121bc5704f0c18fe17c7fea211a1f0487c5d53177c5da356bec83719ae76

SHA512
5b428e1051d72ce13091abdd49001cd5f4ca89788897a3daffd37fc468455d4bad8fab5752c0e34054124b24b0d0c1162a9828e9545698572e2c8940c965dc73

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
72af4a01fbe1d1bf3e9c7d743526b36c

SHA1
a1bac58fd008fe8e653dea7029cc6e499503720c

SHA256
309a0b44b310a2cf05299f1b890d717d6ead6f327e29038c5675b575eee7fa8b

SHA512
899b8aa6193f4a6fa300aca825cd94e88e1238604a7d2d5e47d8738d4ba3fbccc204ffbb6710802f8b7c00b8884e90a6e0314880def72b99103b5924fadd87b6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
12f5f93de5bf3e7afa9fce4ac388167d

SHA1
a31cd88c917c6fae84853e826829b6679239578e

SHA256
ec285871219552f1d8584b1e8fef4b17604cb7868b38c51fc317f89c27d25e21

SHA512
22c39fe7b3c10d2e532dc04fe8cfef51c190db730c1857f841c2cb52adc1cb609d0fc0a4957d12db16002e49770c8e5e9d24a6c028a03d7eb0df4d7c693ce648

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
f7b093e7c4bb9af4b8f55167ec838d7e

SHA1
05c6385fccf0d887b117a57857cdc5299d7d7b5c

SHA256
d0bec316960a2c88081175fc648630d0749d651cafc3886d7d049bf1c261c3ee

SHA512
4fdfa49d806a075e5e788c7d1d6b88439ecf496ef32ab8165cb587021b0a79e43de6dcf1a7f59f4a6e5b7370bf755c1c27f1cd50ef7b0d3a04b95cb8dc17a2a4

Download Submit
C:\Windows\Temp\Cab907.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC70.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\09d7c1ff17e42a33db699b629041e48f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
ddf3e58576ef2cf9b52595c546858abc

SHA1
e9978e93c1db2ee1e3349d08fa2caf07a67c2d6e

SHA256
1f6614cf47eaaa3926d0bfa24b887c5914e3eabb2ffa948c3fc23299bddb8d27

SHA512
a8ccef95a652c5617252f4bb6f236c65cd872d94c0b084d3f3ff933bedcd51bc98a7a1076e3fd34b6d60f6503dca479276d225748bf259f7704213d4e3945dcb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9f1492fdd5006498aab770e73bc3f0bb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
682b0b028b55095cee15c6f9ded933ef

SHA1
5ec06a468b89869be343307aa70c5e15a0441f1a

SHA256
e3afb078dc53f58fed37eb156e60178d1b45db789dfff92b6a28ee3306b5ed82

SHA512
2eed3e5d455fe7844ad8cd9535c5094f4e3ae72442f4c46ace41a5b102bb1bd43efe117aecd12d57409779e7dc43687af93b8b4a3d23fbfc6e7105553939ed2e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c5e5df27b9784920571ad696a0928b84\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
e3af7b6ab2a6ce0bff0c99e50be95a0a

SHA1
a3b0fc73ff2f8ff41acbbd86da01535c36a99d62

SHA256
996d5eb8c3ae15222ae5bfae20c722def13c600e62a53c796a1f49a56753184c

SHA512
9081e4d943c931cf30bbddafd1e53d39f6e5bb0c2d9a35dcbc06bb58a5450bc4fc3bf3a23bfd223e1f033a981a17f2e2ba79fe3f6dc88bec866344d693b3dad9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\cbca8238950de74ad745983be1bb9f45\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
e968a1038abc4b9ec714940bcdd42e1c

SHA1
4ce1be5893531638ac525230cbaf9a1c72399000

SHA256
485e0ba9149a3af9653c01898ff2c6ec120db18ced6253e54b303cd708e33068

SHA512
32f06877aeccd3362bcf444c73de01b44cde138c57b330d46021e1c3198b7a54a9fecb07070127d7ca80dda075ee2d36e991c7c243342af4b2dea7121723b4d3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d9bc54cfae2eb3ed8d71e195933cb3ee

SHA1
8e8d3cd64f2d32def5424009344ee4b5de1b15a8

SHA256
10643d004f9f14211a7cfa07c07661c3cd19b157e19b7161bb5c279da6b14abe

SHA512
3db1716784d6e9e603f356e096cf6bb0ce0f89372de98e7bdad55452aba9fc75c99a6651a42b10b0f0f5e99c633b84edd5cdfe8b9260e077d90963ed3da4f7b9

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
9dfa96757bed0835fcf14197f14e4301

SHA1
70a6d4353511ad5495107a743470582b9e6027f2

SHA256
653ae07a02fbc6646069bf1cebc6e5257a20ba3881cde55f90f628194bcb074b

SHA512
56085614665cf7f1499a2faf4b6d91b9cb473a2af40251ba89124e6a4586194bc1f062301eab6520a1dededa94b4d5bc89e7518fc84de715071a70527ef54db7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a7e06b27dc7edabf97205041485de243

SHA1
e060d7f34a939fa68943117b770d5441d5e38908

SHA256
83a33c923f86ac898bef42a4ac06abd8e212448331224daba89621db63612328

SHA512
f0ad5d77328df75a7b72a5c450338018e2c3192fd6d58af06bc3ac4ae826add80d3d89591b539296501bbc44b9bd441ad515024e81946b879c2fb77925a03c1e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f883872d84f381d8d65167b86c95531d

SHA1
fcc8800202aa8b413650ca56bf7fb258bfbba959

SHA256
e7f07f9885429dbd51b054c3fe756efcfeb7073c3c225c12b2ca30a225ba427a

SHA512
5b0ac49a06614db83c9537f5e9cfc8c59a61a1db628af4fed510d5cd26c48f0640affd51c3ac54b650104defd7b30f218f334f2d2b8c26db243fe59a7cef95cd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
21d97803523495ee886343380c9ada43

SHA1
0520e33a5dde6c3b18c2fb4070ee2d3cd451611c

SHA256
368d5bad6bc00112afbb018b18017f7b05a5a992bcdea6e3b8ee1e69e20c8d90

SHA512
2300db0940c7b3fb2a564dcc27a9eb5d293bfacf47c4785335cbbe65fe22a3b4005ced6672ac93901c2bc42b7837cab7d38eaebbb0bd4593897b2da08104d99a

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e928c841527b0813e432105cd1023e3a

SHA1
b0ba81d08f0ae97ff97a9b45739d45ce491aa53f

SHA256
b002eb15d57c5daac8508c86c4366bf78b6beed4d64ef9fbd3d94a97cf965e89

SHA512
dda2090c2a3d8e4f2ccfb24dc6a3241b9eeb5d846fc0a8829dbfdd0b59e2cc8360caf1c6c584931544f64183f4f01f828d331f7216715fcaa15e03056a4041b5

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a441d73eaddb6cdee98fea36c963d07d

SHA1
a3495b9c75ee834493615a837dbaf337ea50a11b

SHA256
b8d7d1d90ff3a3380dc50d247ab28366489ec73b7eaeddc31e4431b597eafa45

SHA512
443ce0c5b696dfada382d75b1b0161d52b3ed5da29715e8925da19410c36098a80c0dace8f01413fa639250965b276ebd7f69cd6bd3b87bbf1c017941768800a

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4f33c26c87028416e46329c111840285

SHA1
25709b82cd13ba20f1545a1cb3ab405c0041f0f7

SHA256
bae58f321a64ba478b61c6533f6e850ec11f985d279240200a83fb1da773e4e5

SHA512
8040c58a33e1e5598ebd120ff00bdb2ce32ab39e1488fbe70d9203f0657adea935712b35e70a2467d864706a5e5cec93b0b34d90bac2b69f7f12921434a9069a

Download Submit
memory/308-332-0x00000000741D8000-0x00000000741ED000-memory.dmp

Filesize
84KB

Download
memory/308-330-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/308-329-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/308-323-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/340-182-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/340-95-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/340-102-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/340-96-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/584-187-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/584-270-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/584-250-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/584-179-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/584-184-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/584-196-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/748-295-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/748-335-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/748-230-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/748-231-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/748-232-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/748-305-0x00000000010B0000-0x0000000001130000-memory.dmp

Filesize
512KB

Download
memory/748-307-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/844-366-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/844-373-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1356-144-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1356-219-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1356-151-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1356-145-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1364-336-0x0000000001000000-0x0000000001136000-memory.dmp

Filesize
1.2MB

Download
memory/1364-345-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1424-319-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1424-245-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1424-243-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1532-285-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1532-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1532-217-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1568-309-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/1568-320-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1568-364-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/1652-233-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1652-235-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1776-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1776-143-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1776-1-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1776-6-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1776-7-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1892-125-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1892-156-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1892-128-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1892-133-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2068-169-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2068-164-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2068-161-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2068-237-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2364-203-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2364-195-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2364-269-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2384-126-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2384-107-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2384-106-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2384-112-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2452-348-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/2452-298-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2452-286-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/2452-358-0x0000000000570000-0x00000000006C3000-memory.dmp

Filesize
1.3MB

Download
memory/2452-297-0x0000000000570000-0x00000000006C3000-memory.dmp

Filesize
1.3MB

Download
memory/2492-359-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2492-350-0x0000000100000000-0x0000000100135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-279-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2700-271-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2700-334-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2936-162-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2936-38-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2936-39-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2936-14-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2936-13-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2976-266-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2976-265-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2976-260-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2976-252-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download