c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
Size

1.8MB
MD5

247e882dad10468453a6efa817732a72
SHA1

73d6db946e313a62d543a223c0249a0754c6fa0e
SHA256

c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403
SHA512

d18f20475d5486ef837f01da4712c6360693681b66eaa49fa81f2d71faf02720d3cde06a3f53ce1e6b5501c1ce1d3cf3b117227e4c2e3f34225f5d1658c380e3
SSDEEP

49152:kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAIf9Ckt7c20+9qNxUW:kvbjVkjjCAzJzfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
3040	alg.exe
520	aspnet_state.exe
2660	mscorsvw.exe
2308	mscorsvw.exe
1844	mscorsvw.exe
1512	mscorsvw.exe
2296	ehRecvr.exe
396	ehsched.exe
1016	elevation_service.exe
1732	IEEtwCollector.exe
868	GROOVE.EXE
2492	maintenanceservice.exe
796	msdtc.exe
1612	dllhost.exe
1352	OSE.EXE
1752	OSPPSVC.EXE
2844	mscorsvw.exe
1276	mscorsvw.exe
1640	mscorsvw.exe
2428	mscorsvw.exe
2036	mscorsvw.exe
2580	mscorsvw.exe
1956	mscorsvw.exe
1756	mscorsvw.exe
1628	mscorsvw.exe
2436	mscorsvw.exe
1920	mscorsvw.exe
760	mscorsvw.exe
2104	mscorsvw.exe
1100	mscorsvw.exe
932	mscorsvw.exe
1956	mscorsvw.exe
2796	mscorsvw.exe
2080	mscorsvw.exe
1964	mscorsvw.exe
1688	mscorsvw.exe
2644	mscorsvw.exe
2040	mscorsvw.exe
2312	mscorsvw.exe
884	mscorsvw.exe
2232	mscorsvw.exe
2780	msiexec.exe
2108	perfhost.exe
2744	locator.exe
2576	snmptrap.exe
1960	vds.exe
2572	vssvc.exe
1652	wbengine.exe
436	WmiApSrv.exe
1732	wmpnetwk.exe
2664	SearchIndexer.exe
2292	mscorsvw.exe
2460	mscorsvw.exe
2168	mscorsvw.exe
2276	mscorsvw.exe
1000	mscorsvw.exe
2524	mscorsvw.exe
2984	mscorsvw.exe
2176	mscorsvw.exe
2700	mscorsvw.exe
596	mscorsvw.exe
2156	mscorsvw.exe
912	mscorsvw.exe

Loads dropped DLL 47 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2780	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
736	Process not Found
1000	mscorsvw.exe
1000	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe
2156	mscorsvw.exe
2156	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
620	mscorsvw.exe
620	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
728	mscorsvw.exe
728	mscorsvw.exe
2696	mscorsvw.exe
2696	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d202e77ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdate.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_sr.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_iw.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_el.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_ta.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_fa.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_it.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_bn.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_pl.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66DE.tmp\goopdateres_no.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehsched.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D2F.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP696.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP59E3.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A28999FC-DFEB-4020-994B-D83896EF09FB}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A28999FC-DFEB-4020-994B-D83896EF09FB}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2CFA.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6651.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080370c58e595da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a097f15be595da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2092	ehRec.exe
520	aspnet_state.exe
520	aspnet_state.exe
520	aspnet_state.exe
520	aspnet_state.exe
520	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1784	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: 33	2084	EhTray.exe
Token: SeIncBasePriorityPrivilege	2084	EhTray.exe
Token: SeDebugPrivilege	2092	ehRec.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: 33	2084	EhTray.exe
Token: SeIncBasePriorityPrivilege	2084	EhTray.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeDebugPrivilege	3040	alg.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	520	aspnet_state.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeBackupPrivilege	1652	wbengine.exe
Token: SeRestorePrivilege	1652	wbengine.exe
Token: SeSecurityPrivilege	1652	wbengine.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeDebugPrivilege	520	aspnet_state.exe
Token: 33	1732	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1732	wmpnetwk.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeManageVolumePrivilege	2664	SearchIndexer.exe
Token: 33	2664	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2664	SearchIndexer.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1844	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	EhTray.exe
2084	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2084	EhTray.exe
2084	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2324	SearchProtocolHost.exe
2324	SearchProtocolHost.exe
2324	SearchProtocolHost.exe
2324	SearchProtocolHost.exe
2324	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe
1308	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2844	1844	mscorsvw.exe	46
PID 1844 wrote to memory of 2844	1844	mscorsvw.exe	46
PID 1844 wrote to memory of 2844	1844	mscorsvw.exe	46
PID 1844 wrote to memory of 2844	1844	mscorsvw.exe	46
PID 1844 wrote to memory of 1276	1844	mscorsvw.exe	47
PID 1844 wrote to memory of 1276	1844	mscorsvw.exe	47
PID 1844 wrote to memory of 1276	1844	mscorsvw.exe	47
PID 1844 wrote to memory of 1276	1844	mscorsvw.exe	47
PID 1844 wrote to memory of 1640	1844	mscorsvw.exe	48
PID 1844 wrote to memory of 1640	1844	mscorsvw.exe	48
PID 1844 wrote to memory of 1640	1844	mscorsvw.exe	48
PID 1844 wrote to memory of 1640	1844	mscorsvw.exe	48
PID 1844 wrote to memory of 2428	1844	mscorsvw.exe	49
PID 1844 wrote to memory of 2428	1844	mscorsvw.exe	49
PID 1844 wrote to memory of 2428	1844	mscorsvw.exe	49
PID 1844 wrote to memory of 2428	1844	mscorsvw.exe	49
PID 1844 wrote to memory of 2036	1844	mscorsvw.exe	50
PID 1844 wrote to memory of 2036	1844	mscorsvw.exe	50
PID 1844 wrote to memory of 2036	1844	mscorsvw.exe	50
PID 1844 wrote to memory of 2036	1844	mscorsvw.exe	50
PID 1844 wrote to memory of 2580	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 2580	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 2580	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 2580	1844	mscorsvw.exe	51
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1756	1844	mscorsvw.exe	53
PID 1844 wrote to memory of 1756	1844	mscorsvw.exe	53
PID 1844 wrote to memory of 1756	1844	mscorsvw.exe	53
PID 1844 wrote to memory of 1756	1844	mscorsvw.exe	53
PID 1844 wrote to memory of 1628	1844	mscorsvw.exe	54
PID 1844 wrote to memory of 1628	1844	mscorsvw.exe	54
PID 1844 wrote to memory of 1628	1844	mscorsvw.exe	54
PID 1844 wrote to memory of 1628	1844	mscorsvw.exe	54
PID 1844 wrote to memory of 2436	1844	mscorsvw.exe	55
PID 1844 wrote to memory of 2436	1844	mscorsvw.exe	55
PID 1844 wrote to memory of 2436	1844	mscorsvw.exe	55
PID 1844 wrote to memory of 2436	1844	mscorsvw.exe	55
PID 1844 wrote to memory of 1920	1844	mscorsvw.exe	56
PID 1844 wrote to memory of 1920	1844	mscorsvw.exe	56
PID 1844 wrote to memory of 1920	1844	mscorsvw.exe	56
PID 1844 wrote to memory of 1920	1844	mscorsvw.exe	56
PID 1844 wrote to memory of 760	1844	mscorsvw.exe	57
PID 1844 wrote to memory of 760	1844	mscorsvw.exe	57
PID 1844 wrote to memory of 760	1844	mscorsvw.exe	57
PID 1844 wrote to memory of 760	1844	mscorsvw.exe	57
PID 1844 wrote to memory of 2104	1844	mscorsvw.exe	58
PID 1844 wrote to memory of 2104	1844	mscorsvw.exe	58
PID 1844 wrote to memory of 2104	1844	mscorsvw.exe	58
PID 1844 wrote to memory of 2104	1844	mscorsvw.exe	58
PID 1844 wrote to memory of 1100	1844	mscorsvw.exe	59
PID 1844 wrote to memory of 1100	1844	mscorsvw.exe	59
PID 1844 wrote to memory of 1100	1844	mscorsvw.exe	59
PID 1844 wrote to memory of 1100	1844	mscorsvw.exe	59
PID 1844 wrote to memory of 932	1844	mscorsvw.exe	60
PID 1844 wrote to memory of 932	1844	mscorsvw.exe	60
PID 1844 wrote to memory of 932	1844	mscorsvw.exe	60
PID 1844 wrote to memory of 932	1844	mscorsvw.exe	60
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61
PID 1844 wrote to memory of 1956	1844	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
"C:\Users\Admin\AppData\Local\Temp\c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f4 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 254 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 270 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 278 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 254 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a0 -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 2a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2ac -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 2b0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 22c -NGENProcess 228 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 298 -NGENProcess 1f4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 294 -NGENProcess 220 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1c8 -NGENProcess 220 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 270 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2b4 -NGENProcess 29c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a0 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 22c -NGENProcess 1ec -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2ac -NGENProcess 22c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 1c8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 270 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1c8 -NGENProcess 2bc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1dc -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d0 -NGENProcess 2c0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d4 -NGENProcess 1c8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1dc -NGENProcess 2dc -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1c8 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c0 -NGENProcess 2f0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 2c0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 2dc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2c0 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 300 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c8 -NGENProcess 2b8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2d4 -NGENProcess 314 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 34c -NGENProcess 350 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 354 -NGENProcess 378 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 364 -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2296

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:796

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1352

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:436

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2664
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
ee038ea9dd4062bc2a9ff2a7b04f5e7e

SHA1
686b677f27695cfb9cec784f6e8baac94b468aa8

SHA256
814038ec8d76ac8dbb13df559456ad9ae6c063e20da114842925cbb9190029ce

SHA512
8e4c35d1368296eb9febaafc59fab79e669ab8085cc22aea0a6bde56cfebb80ead75640e8686f561514f9d5e0390cd608d8675ad24b5cb435acf78d1aa1a4558

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
5.8MB

MD5
d25d5c3dd5e11e81237887a86052f53c

SHA1
09a0d2057d041fae8e8272330ae70819a768d2d9

SHA256
86c1268ba613d941692705482b9ee599fc49e5b88c4c427caf039c5e52581369

SHA512
4fddb522f24bf7ec452133b54a34dc189f2166d4edfb00fbbb5843a6d4718f1b2bd429971fb9e09c5214d97ec6b2e0d7cbe41ab07ae1a2f8f6ecad96d28c0573

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
eef80f0369e668b9bdd9c338a51bfb1d

SHA1
991579f18fc052e295b932fea3d28d0ee7ecaa30

SHA256
1d2ae6887081767906a64cf416a359267a8ce3b40acc2ab187ca2f3468e587bb

SHA512
683ac0ea2f34f53bd84f8920d8489de3c337c53ec77333c2c3b168b7eb3f9708b4ad3dfeb746c758ec4aa6e83b49981e521b1cf1f612b67685860eeddbdf7729

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.2MB

MD5
96be002ccaa2091e6a31fdad2c8a5d4d

SHA1
ded081edcd08844fecbeb2781e472c9128e40100

SHA256
372640ea057ccf4d11fe3aec707c1cc818b305b3bdfa129881672229e65ea3b7

SHA512
a41b66aadf1f0dd1d3b54ba0737ca915e92c04696ae980a02e18c8c25b68cfb333acd3a27537d97f5d010599dac374a221cb99eee95bf6d89a1db28e4e82e818

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b4607555786b0ca94a5bd354a3349c2a

SHA1
766fa8626f13d3dab948167d9b2c90bafe167d5e

SHA256
2a02633bb9a67dcdb014fb0a6c6bd0891bb42d1a5d1800b783d4e917149df208

SHA512
440298d63dca9a668238ad2b8833ff19c005dabec4c02987c83c3da6def070aed23e1082e4760d399503bbcff408d7775ca2e90ca61d39234141aceab4e79b36

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
feac71d0b15db3d2c2aa2c11be568247

SHA1
eb665b0e4f86554b84e99ba61e66caf32b8f88ef

SHA256
fcda855de8d2c6f40ae61df9d4a072ebed525ef479cd439468d1977a4f55554f

SHA512
f61af7e11735ec4346a8c88ea0f0177dca43682ab0299f2a62b764bf0e9772b6d3a7caca37df46f1dcecc90fc2c95f796eec34882eeea359f7b71022b48d8d81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
85107536d0467f233181d894e39587c9

SHA1
a27c0a5a41b970aec488ae8b51c28140501b84f6

SHA256
4963ef48b5a5f46a91fb955f8310ab84196e85e6b7d3bde9e0c52dbf4a20a64a

SHA512
a3a9d0bfa3c0b166aa18d3eb4772ba047b0c6c40b27853d85ba9c8bdf1c894aa2043314062825e3b38665409327093f6095c6b4b86fed9b3a71cbd9ca0fb780b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
960ef029b864db38872df49255170025

SHA1
894d3e7c684427400f983bf8fc6facbd4aab6e77

SHA256
dee7b779d02fd67ea652596e2289db3aa4dd2aad221ba56b6b63b4640ec25ac7

SHA512
78339f18becf4bc3b769c915b27a56b6d343c644c8e0d6138edd34cb1a118cf7d89976c7af50de6de67505f70b0b8bd7df5f7edaff7459de9f66eff1ab88086b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
ffebe279ca652ecd3ccb41478cc46e0c

SHA1
00f7dcdde5b4a456b2df1b5cee056e34468c6960

SHA256
2704821de4f031b68268cc0e103a2dd0a71db8746b338b245bb4961f0842c603

SHA512
9d54d8cce7118c829167f4e32a953e234bbb86891d59f45a3262ae353f9bdb8ca61f3a404330986c3811f6896f07aa91bc790426d59fb8b8262394e963e9bdb3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
d00f29ab4ce103a3168dabee06b7ad65

SHA1
03a815985f2c39a140f48568f8c095ed8e170527

SHA256
1768b0deef15ae4c82ab1be634b4ae0796c06fde7f448d1c8e63d29644fde22c

SHA512
2e6389eb3fab329fe4a5b8fd06217518ec2c30b6d730b41a176cd7964c753649721e4c288cc620ef7110aabc8d3872ab4f832e7a4c7cae5dfdc744c55940807b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d16b6be89630addb27a6b541fa76e5ce

SHA1
a29b1a9f4c831fad33a4506b45b9fc8de2f3a0d9

SHA256
60bc0d1ed723bd32cd7eb934fe64e01b9bbe16604f600b842a3f5c3883cac056

SHA512
c9f19405dfca101423f97ed9b852df127bd6fe6159425f76919170243b06580bd82f8fb26a6a459a91b3a41d7f076dd6253cb15c0e8ff6a5fd3ba965d90a50e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
cdb352f8dc0448ee69258ac0e7868518

SHA1
20f99e6caf1ad15dc4b8733212f3a7268104b617

SHA256
193bcecb547b669aec6952f127b294df125880f8fd4c63a97f578359d08b7314

SHA512
240947b16cae36bff9788b45981e2b7c79714c3b2abe8f746e2659db5aadbe01a7911d0c535440821bc3dd2b358b40edf8f446a74e69c847d736847aac91bc1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
5f46c27aa933491bc5bc23f868edb192

SHA1
2005face281b49525a429c46856cc31c3191217c

SHA256
617b6ec1ee588c55061a021ee785adf034ad8090a9f30689c1b4a09bd3945907

SHA512
ff0170481ba16a0b53c6be60f55559a00e41dd03a2c1ae945ebbee57329ffabfcc4da0275bcfc37e134e54f5809d50d179fb7894a7c96945cbd34198214dd76f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0e0a89636311ce407d430aca6d1e8a23

SHA1
f8bc7882c894733dd0f9e1df42625a19017959e1

SHA256
ddcc33bb7f05701760a50214cb95f4c74d10995c90ff08e353323049d00aceca

SHA512
db813543654878b32ba0cda993673ee3606692fef842b9dc2580aca985c259834f22ef0134fa768340823dabeb35c5fba74c2a929035b8c793918cab79541b8a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c87b84cad1d06903343259c9656045cd

SHA1
6915198f7b2b3dce63c05537ed7ced680615d9ee

SHA256
434a53650b6ecfe9a9f7fce853d61fb4277b9313c1dff0904e6c04855ea376f5

SHA512
fe0a687c33408b47c275981b0263697b43e9f84299129bc275dd9d3be1c955e442eb42a69a99ce6dddf6eb68b4aadac5defb80239fdd1a09ff8304e0039eab34

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
3233358ff98d1780f018a2cae5e3e92d

SHA1
2fae648bec9b17e69db02b7003aeac3febb46fd6

SHA256
22c0eeee64b596323173d04c2ba0451109747fb68da31da08cf1da4a2464b305

SHA512
314af121eb0bf828001bbdaf5147b5f8c217d285a714e9f6ee56e7877b2bce049623c0c4f0a80b76be4484dc82c9125a1114944c58845fc9c2170c68d4e5e0c5

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
a73571015776bcd727a71f9888436a5b

SHA1
20d3d32b1919059560e25644a4339c6d38afd53d

SHA256
b3212be0f0af72d3fdea080b49d4e2696cb3706377867c4ea587098a5c4ecd24

SHA512
37348f40a3fb6d7ff7831f3437b2921fefdd97aeedffe1e6a9063eae157986db65495e89f418c707d6716663e69e601b28d2abe3a5043a472c69f2f7ff357c73

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\201f2827bccfa92afe0e4cd8197b8ade\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
dab1cddc71d51d397b8b7aa1f8cd951c

SHA1
0677ee08c58ee659e1e48ebdfb789b54670a70f9

SHA256
e5162846a19322f124b2ae72cd1b8a65b3a97146b61d4f923258d68573d3158f

SHA512
a4557431c30d1de1a4181f9ecd730c7656e3a67602e5ff83c19693e1cfe08733c57a56e2feda07e7aef97dc4275939f02f97ec6b8551205a012ca55910ea25e9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\36627937f5e1d96ada9ea8f73ecca4cf\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
aacdbd8652e402c00d7798fbe00ff133

SHA1
b326092852edb3a5048ff86c267388cee5c6bad9

SHA256
2b93b958e7884d8e9dc888c86d7ab64857fe55eb69a3167410e4ce8bd969fe9e

SHA512
8d9967893ee8a7ebf0d26654b331d12b89fc8d6a2dcd0e6711120effd630c081e7c60f1cd582ef0d77395a5cd1c0f5643e736a67afb9d3ba10fda153d8b271fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f61aacca32361f8fb7ab25fb8fc86139\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
ac88b3321d08560552b53642a48d5169

SHA1
be3209d5cf19fd40cd95e00329f2ac1b03911cf4

SHA256
fb778b2d792b370252cc063ab129dd2e07519a158cd3f3f2616d3554214d1e1a

SHA512
c7a7a223110010d6b67153575a2d63f2d0eea299f5286b19c85abb92b4cb1835767077c353c1d492537a8d489de8b5b5d11930a3b477f7e9cac1ebc91a6b6ca5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP696.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF8.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2ea315c529ba5edf1e3c13e2fe12f877

SHA1
5b48c65d4c5ec0bd48be1e98331b1b389681b724

SHA256
5e039dc73941c352edac5df77d78d6ea393f9a427d38f0f9f65334381efaff9f

SHA512
24a0150d19c15a99099f28a2dc3c08bcce4aa734951538a2d7375301e37294cb2d1ec70d1a1f67abd31d18113f05a5d65f1d58e3afde810ec5308b48a3b4dd03

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f5b94629814999a6a84d8af8b001e1f9

SHA1
215f45335d3615f15d207e895034e3b5284348fc

SHA256
df49a0d59d6529006d49ef9c10edd4033daa905f4bde42ad67098745a9fc1e84

SHA512
bbe898f75c1c3c86cedfe672bbe2d2897d796b31b02cbad5b203434633bbfe05fc00d1b0b786534af6bfaa4c0b0b5bd9b0afd70c4a1e9b24f5b032c69c8a7240

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7a94d4e6b40569cbe21eda6dba44199e

SHA1
e5b012929aeae98321f17232749a56f812628065

SHA256
e43e19c90bc915282840cce652ac5f8ba05d70a823c27c6767abf07717210ca5

SHA512
6c25bb15f51347a6fcaca4a1eca28cfee47ec4400b53271cd24399ebf2f2405b6bd40b1d6fa990750560a5a484021d674a8f56bd43c7793d54f5279be7c9ec04

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fcfe7990bdf3de59b15d147bb1f8231d

SHA1
b3284a208aea23c4c6170ccc20748747ded1610e

SHA256
bad766ef677cd2846bae57e6cc96a443e56e64a4410b5ef242567b9400a6e644

SHA512
9a53a52c642e2e208c7e01d89c0f656a6fbd611f4e4893e58a6a59517b01e0369f35f7c00e087a54fc17051cbbd5d12ad1d3c01f331a3ce8c315fa6585be12d7

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
750132c1d114146758ef32d068cc1868

SHA1
1eb7b2f5518ce9986c468e2646a17fa3769284cc

SHA256
e077d1b56a286f3bba6160b05d99749505b17aeade049cd6d73c9c1e3013c695

SHA512
dad04df1b3f22592a02a79238c51007dd09898771c9482f776326417b6650866ff725a842f3a08fca85e845cb0a4ee685773b64ceb58b72fd9c3014889edc572

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
84d3c9bbdef4978ed68f5868d10b2bf2

SHA1
1dd50afcc61929571685e0759fcc77e22133687c

SHA256
d4b897344f74daca0af1b446a19fdeb16755225d7948fb0978b4b77e7758dfb9

SHA512
f03aefcde94fee71395c407746d34ea169830d98e6d7d5cd957f6f430a3490a961cd5ee977891bb2f967c5ef645b0982bce2f6effa42963b49644028e60a3159

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
a299ff7e6d536d71019dd8d2523e13c3

SHA1
f0c07e90235f87e6e998b93d1e7d5190d5fd0ae8

SHA256
63b3e090ed304e71687e2f24d3855ee2af5f8d8d2a39bb5092c7bb46a21c9b2f

SHA512
33a24a3cb60280a5fc0eb16e7db2b9083dcef451a6a36a77fbfb0bfb027adb0b46ee49a459460e7b1091fc3ae73c25a3efcce902e423fc69bbf47265d92fc365

Download Submit
memory/396-195-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/396-265-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/396-202-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/520-179-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/520-101-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/520-95-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/520-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/796-432-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/796-345-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/796-355-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/868-244-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/868-246-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/868-388-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1016-208-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1016-217-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1016-353-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1276-486-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1276-502-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1352-390-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/1352-391-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1512-233-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1512-161-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1512-169-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1512-164-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1612-374-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1612-481-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1612-369-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1732-234-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1732-232-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1752-439-0x0000000073F98000-0x0000000073FAD000-memory.dmp

Filesize
84KB

Download
memory/1752-406-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1752-410-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1752-402-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1784-6-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/1784-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1784-0-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/1784-342-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1784-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1844-143-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1844-149-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1844-144-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1844-215-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2092-419-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2092-230-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2092-229-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2092-373-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2092-371-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2092-231-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2092-363-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/2092-517-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2092-340-0x0000000000C80000-0x0000000000D00000-memory.dmp

Filesize
512KB

Download
memory/2296-245-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2296-181-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2296-186-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2296-178-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2296-191-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2296-257-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2308-129-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2308-122-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2308-121-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2308-160-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2492-260-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2492-282-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2492-266-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2492-252-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2660-140-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2660-105-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2660-106-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/2660-111-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/2844-509-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2844-515-0x0000000072C60000-0x000000007334E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-416-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2844-427-0x0000000072C60000-0x000000007334E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-408-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3040-162-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/3040-32-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/3040-23-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/3040-22-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download