a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 19:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
Size

1.8MB
MD5

3280834d853a1cfd3454b66a6ea344a2
SHA1

f1f38357f8a87a459ff46f3dcbc2ab19aa96528e
SHA256

a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207
SHA512

787753bbc41e28226b0f9f7ac753efbc244b9d1b2b6bf50a4cbe91cf9c019d9b70cb5a066d5e72cbbcf8960d208e6ac2dd1a9d713bea2ce3eeaea3d2d965f670
SSDEEP

49152:Zx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAykQ/qoLEw:ZvbjVkjjCAzJNqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
484	Process not Found
2940	alg.exe
2152	aspnet_state.exe
2684	mscorsvw.exe
1960	mscorsvw.exe
1932	mscorsvw.exe
1764	mscorsvw.exe
628	ehRecvr.exe
3024	ehsched.exe
1608	elevation_service.exe
2596	GROOVE.EXE
2484	mscorsvw.exe
640	mscorsvw.exe
2412	mscorsvw.exe
2776	mscorsvw.exe
324	mscorsvw.exe
1144	mscorsvw.exe
2192	mscorsvw.exe
2416	mscorsvw.exe
2476	maintenanceservice.exe
2732	mscorsvw.exe
2524	OSE.EXE
2984	OSPPSVC.EXE
1604	mscorsvw.exe
1400	mscorsvw.exe
2600	mscorsvw.exe
2444	mscorsvw.exe
1536	mscorsvw.exe
2116	mscorsvw.exe
592	mscorsvw.exe
1308	mscorsvw.exe
2828	mscorsvw.exe
3032	mscorsvw.exe
2836	mscorsvw.exe
1576	mscorsvw.exe
2508	mscorsvw.exe
2928	mscorsvw.exe
2684	mscorsvw.exe
2292	mscorsvw.exe
1048	mscorsvw.exe
2052	mscorsvw.exe
704	mscorsvw.exe
1736	mscorsvw.exe
1780	mscorsvw.exe
1616	mscorsvw.exe
2836	mscorsvw.exe
2620	mscorsvw.exe
2852	mscorsvw.exe
1084	mscorsvw.exe
2404	mscorsvw.exe
856	mscorsvw.exe
1164	mscorsvw.exe
2804	mscorsvw.exe
2500	mscorsvw.exe
556	mscorsvw.exe
1576	mscorsvw.exe
2540	mscorsvw.exe
2532	mscorsvw.exe
448	mscorsvw.exe
2052	mscorsvw.exe
2036	mscorsvw.exe
1544	mscorsvw.exe
1164	mscorsvw.exe
1616	mscorsvw.exe

Loads dropped DLL 47 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
1616	mscorsvw.exe
1616	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
1084	mscorsvw.exe
1084	mscorsvw.exe
856	mscorsvw.exe
856	mscorsvw.exe
2804	mscorsvw.exe
2804	mscorsvw.exe
556	mscorsvw.exe
556	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
448	mscorsvw.exe
448	mscorsvw.exe
2036	mscorsvw.exe
2036	mscorsvw.exe
1164	mscorsvw.exe
1164	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
1048	mscorsvw.exe
1048	mscorsvw.exe
1864	mscorsvw.exe
1864	mscorsvw.exe
1336	mscorsvw.exe
1336	mscorsvw.exe
404	mscorsvw.exe
404	mscorsvw.exe
292	mscorsvw.exe
292	mscorsvw.exe
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
2996	msiexec.exe
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a75cf7ce2a37835d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_te.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_ar.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_es.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_lv.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_ur.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_en.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_el.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_ca.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\GoogleUpdateBroker.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\psmachine.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdateres_hr.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM143C.tmp\goopdate.dll	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB6E1.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAE49.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC1D9.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9167.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB2DB.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9463.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA016.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA563.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP97AD.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5E055B39-DA33-431D-B128-9432DD6895AC}	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2636	ehRec.exe
2152	aspnet_state.exe
2152	aspnet_state.exe
2152	aspnet_state.exe
2152	aspnet_state.exe
2152	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2928	a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: 33	2144	EhTray.exe
Token: SeIncBasePriorityPrivilege	2144	EhTray.exe
Token: SeDebugPrivilege	2636	ehRec.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: 33	2144	EhTray.exe
Token: SeIncBasePriorityPrivilege	2144	EhTray.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeDebugPrivilege	2940	alg.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2152	aspnet_state.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeRestorePrivilege	2996	msiexec.exe
Token: SeTakeOwnershipPrivilege	2996	msiexec.exe
Token: SeSecurityPrivilege	2996	msiexec.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	1820	wbengine.exe
Token: SeRestorePrivilege	1820	wbengine.exe
Token: SeSecurityPrivilege	1820	wbengine.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeDebugPrivilege	2152	aspnet_state.exe
Token: 33	1916	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1916	wmpnetwk.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe
Token: SeShutdownPrivilege	1764	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2144	EhTray.exe
2144	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2144	EhTray.exe
2144	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2484	1764	mscorsvw.exe	40
PID 1764 wrote to memory of 2484	1764	mscorsvw.exe	40
PID 1764 wrote to memory of 2484	1764	mscorsvw.exe	40
PID 1764 wrote to memory of 640	1764	mscorsvw.exe	41
PID 1764 wrote to memory of 640	1764	mscorsvw.exe	41
PID 1764 wrote to memory of 640	1764	mscorsvw.exe	41
PID 1932 wrote to memory of 2412	1932	mscorsvw.exe	42
PID 1932 wrote to memory of 2412	1932	mscorsvw.exe	42
PID 1932 wrote to memory of 2412	1932	mscorsvw.exe	42
PID 1932 wrote to memory of 2412	1932	mscorsvw.exe	42
PID 1932 wrote to memory of 2776	1932	mscorsvw.exe	43
PID 1932 wrote to memory of 2776	1932	mscorsvw.exe	43
PID 1932 wrote to memory of 2776	1932	mscorsvw.exe	43
PID 1932 wrote to memory of 2776	1932	mscorsvw.exe	43
PID 1932 wrote to memory of 324	1932	mscorsvw.exe	44
PID 1932 wrote to memory of 324	1932	mscorsvw.exe	44
PID 1932 wrote to memory of 324	1932	mscorsvw.exe	44
PID 1932 wrote to memory of 324	1932	mscorsvw.exe	44
PID 1932 wrote to memory of 1144	1932	mscorsvw.exe	45
PID 1932 wrote to memory of 1144	1932	mscorsvw.exe	45
PID 1932 wrote to memory of 1144	1932	mscorsvw.exe	45
PID 1932 wrote to memory of 1144	1932	mscorsvw.exe	45
PID 1932 wrote to memory of 2192	1932	mscorsvw.exe	46
PID 1932 wrote to memory of 2192	1932	mscorsvw.exe	46
PID 1932 wrote to memory of 2192	1932	mscorsvw.exe	46
PID 1932 wrote to memory of 2192	1932	mscorsvw.exe	46
PID 1932 wrote to memory of 2416	1932	mscorsvw.exe	47
PID 1932 wrote to memory of 2416	1932	mscorsvw.exe	47
PID 1932 wrote to memory of 2416	1932	mscorsvw.exe	47
PID 1932 wrote to memory of 2416	1932	mscorsvw.exe	47
PID 1932 wrote to memory of 2732	1932	mscorsvw.exe	49
PID 1932 wrote to memory of 2732	1932	mscorsvw.exe	49
PID 1932 wrote to memory of 2732	1932	mscorsvw.exe	49
PID 1932 wrote to memory of 2732	1932	mscorsvw.exe	49
PID 1932 wrote to memory of 1604	1932	mscorsvw.exe	52
PID 1932 wrote to memory of 1604	1932	mscorsvw.exe	52
PID 1932 wrote to memory of 1604	1932	mscorsvw.exe	52
PID 1932 wrote to memory of 1604	1932	mscorsvw.exe	52
PID 1932 wrote to memory of 1400	1932	mscorsvw.exe	53
PID 1932 wrote to memory of 1400	1932	mscorsvw.exe	53
PID 1932 wrote to memory of 1400	1932	mscorsvw.exe	53
PID 1932 wrote to memory of 1400	1932	mscorsvw.exe	53
PID 1932 wrote to memory of 2600	1932	mscorsvw.exe	54
PID 1932 wrote to memory of 2600	1932	mscorsvw.exe	54
PID 1932 wrote to memory of 2600	1932	mscorsvw.exe	54
PID 1932 wrote to memory of 2600	1932	mscorsvw.exe	54
PID 1932 wrote to memory of 2444	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 2444	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 2444	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 2444	1932	mscorsvw.exe	57
PID 1932 wrote to memory of 1536	1932	mscorsvw.exe	58
PID 1932 wrote to memory of 1536	1932	mscorsvw.exe	58
PID 1932 wrote to memory of 1536	1932	mscorsvw.exe	58
PID 1932 wrote to memory of 1536	1932	mscorsvw.exe	58
PID 1932 wrote to memory of 2116	1932	mscorsvw.exe	59
PID 1932 wrote to memory of 2116	1932	mscorsvw.exe	59
PID 1932 wrote to memory of 2116	1932	mscorsvw.exe	59
PID 1932 wrote to memory of 2116	1932	mscorsvw.exe	59
PID 1932 wrote to memory of 592	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 592	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 592	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 592	1932	mscorsvw.exe	60
PID 1932 wrote to memory of 1308	1932	mscorsvw.exe	61
PID 1932 wrote to memory of 1308	1932	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe
"C:\Users\Admin\AppData\Local\Temp\a82e6fc31e8db91fbffad10329d95db58ecc70129c7475b785d1add870129207.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1d4 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 280 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 1d0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 280 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 250 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 298 -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 214 -NGENProcess 200 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 248 -NGENProcess 230 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 214 -NGENProcess 254 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 200 -NGENProcess 1d0 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 224 -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 200 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 254 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 230 -NGENProcess 254 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 270 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1ac -NGENProcess 284 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 288 -NGENProcess 268 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 280 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1ac -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 294 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 25c -NGENProcess 2a0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a0 -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 298 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 29c -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 29c -NGENProcess 1ac -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 268 -NGENProcess 2c0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2c0 -NGENProcess 2b4 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c8 -NGENProcess 29c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 268 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 298 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 268 -NGENProcess 2d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2d8 -NGENProcess 29c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 298 -NGENProcess 29c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2e0 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2e8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 29c -NGENProcess 2cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2320

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:628

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2144

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2476

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2524

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2852

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:796

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ff21e198b3edd6b0786ca3438f3ec649

SHA1
2673375dce6ca0ec3b069d2982178e7699416003

SHA256
911d8e00218a4db19cef41cca6d44e44500b742e0ecf2a8cd06f13f0f14c454b

SHA512
735b50023867a95b765847a046e39cb6c3032ac64654a5d3eb600e09806e65ceaade3fe23413f0e83d9b12b5a18e3a8ac15cbb8dc6eb0df3272b51157906c0aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
094de61eb990bbe7577f021281640c48

SHA1
e5f6877c04da973340ad9223a170a984bb438bb4

SHA256
9a7f7513027029cb66afb5c88ec73d7c229833a0f82d110e2b44bf76b99c6c59

SHA512
76464f02070da79f8e45961f465d209e29e5c2ed872320afda55cb4007d0804cb4c9ff4375dec1013ca2b922291cc7c9b07befd76eb37854ea90a6640326cec9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
5afdafb4be968da5cc4d89813babdf37

SHA1
1cec64aed26312576398ef3fb73aec47d4c937bc

SHA256
ed0c1f66194d546f3901936ce624fea367e8fb3c06e22dc2c8a5a17845a0fdea

SHA512
38ff2afcb685e7c5a2d4a0e2ad451a21201482c552a6f2af763e0aafaae2de79773864324f6b499f99196d1e3b30755d4185baf3aef3b1f57053fedb365e7957

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
ed4f0e1ba22c625c4c024f2a3a0c56ad

SHA1
10da9d3a25c6f4bd2f3b963dccf8624047ab214b

SHA256
356eec85bbff8590ad8091c00322535a4a2dced3645db85d25afd3bda2d1adab

SHA512
f5e6e84f108c8abe33e0b2611ce1480283ee5ce30786c6652f86e80fe39fcac17cd43d6421ec9246e4a3c46f86dc5d25991345c91ba0dfaa1bfe5f89b3f5e5a2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1f9a257119a6bb66eff8c7b09aa8c7fb

SHA1
555d2f0ba4a158fbb836d5bc45d6ad81b395f32d

SHA256
ad9cb676a2c38cc8eca421ed08bf3899f4ececdb91f419fd3a6cab12f4c805fd

SHA512
861f18165c6123469b174abe7bc978390b3f979d7a53058faad9095ba367d66b30e7a943b73bf5f242c622b76d4c408389904cac39e65d21298c30b6ff0d14de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
ad3f98ac7d2c212a93dfbe43248b5f28

SHA1
9038333dc7a59a8862313bef20e86a549696338b

SHA256
4d317f9208f606c8c477a3097357c8c79ef3c83882c8886c5179757798c6ce04

SHA512
f173d2168dd3636644962cffea2813d354f298873fa59cfc42788ed1b66aa9c7cda7785e10d45ce1414c689509e3b80f3ad75d388491e086eb6e9f1db4b1f272

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
530fb27186cfccbbe4bfc386d3bf278c

SHA1
f2623f6e77b5c063c541577fe7a68d6aab248e3b

SHA256
5656c32c052cebb38951cd79c3a1068c4e2cb35f347b66e2244de0fa20c4c322

SHA512
f9038f1db714b5fdf9b6176df23cf9f98b954d6b5ca4abddf800e9f31639a6b7d1d279b0fd6008baa044df07af577c9e54b9b000ccf251f4a4e1f9a8bf2c466d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
9bb81e109145787a7e305e58884d857e

SHA1
7b35691c12f0af15ec8e2b2c53909b4858e8459c

SHA256
46433ac67c1a40248c6ead880d683140523b54cf21ad513a9ab70a324c65ca7e

SHA512
6d2488beab4bed60d9a3f874ff4435844a33ed47a5a8b7fa5d384f7dfabf413b1b06e69d9d002c3fca3f26b0cf3f0444a55efd3bf7eebacb8c84c4ad6dcac935

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
10KB

MD5
b56287385604c8b36385b823dd2f881e

SHA1
c7142ca11486ea6895aae013682993c78bed71bb

SHA256
d1f582f59eef54f5ea6e976d75d284aeb35cf4d620eb8c60de30c84d7eee6a4e

SHA512
9a8b7c9f3d017716b080759a1ffd38b00fa850d657b33a5c69f5f799ab4869ea6ed0f745c76a0aa09616d8a85cf294f57e8c28acab092d20b57d2b9750bf00c3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
2b034cccd1706cfd0836ee6709cc4249

SHA1
dc1985d0578faafadf1be5fab2243aaf68a07665

SHA256
ccb3021872b41e46540b48f5661a155a525635a38f5b97103a5d0a7f487e8f5e

SHA512
fcb0166c2b21f168a10ab21a74437a2426c39de1a93114d544d8cc0d6c742e0993a55832390ffb23ba40ae9b7b4ad4287eae1e5202fb7ec6c1100ac4afb6565d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a298dadd23b113d692c2124dc9f97516

SHA1
1b6d9ba4730d72fbab0993b01ccc68cb313453af

SHA256
3ab7e12f73d98a3151e0b192a49afa51b35132f48f2eb7933e3258e20d2116fd

SHA512
e25dc37f18a321dbb711c9b4c7aedc16a8db4cfa408c44747ae23874a1bca3849b38bd9d790c0be8baa3ae36a2c88fd0cfb57ae22ab14b34e414d7dc3b3a52ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
083b13a943e2a579acd954035828c4df

SHA1
01c708496a3a0c28c06303f1665a81cce6b53290

SHA256
d733944034010997c937b9dd2d987062959df839bc93a0bd73d19248c4b4530b

SHA512
69d043efa357973160fd1b3e3730370bc0e2aff5f20274ff1fba089f4edefa492cea42bc41f73a18f452c36124e17801b8d64f20407ed2fb93f9d7eca51bc25e

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
2dbe33411375c5f4ab4c72edda694db4

SHA1
e1083325e30ce00ef5b70bed3a94e21821bf8688

SHA256
7db54c3a6982eba22626024af389b553f187f56226512d47dfa98361f1009fe6

SHA512
1f27396e6cb44c2f5b8726b2a98d9d5a07051290c3fc671a4c5a19ea651ab449d960037e1759e243f5bbf22e2e64d7712a135c378e62120e7cf984ae5b19a97b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\56d57dc144299251a211cb7af4300904\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
eb39d90e748a6c38f8dc45ef2fb14256

SHA1
f6e8f24c0c308ef2a64aa3d1eb09d76a5c94011c

SHA256
3657958bff7b6cb79076fa7dd61ab437173d1d01662de6214b04cc36bc9f0f72

SHA512
ebd200399946677168b20263bb30c103404168b590449dd96d2f367346856d71f605d125fa1046bc13addca883cb6379e8b0c1b75a852f0545f7367abfcc9787

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\622c0233f4100d4b4041ead3a1f09e6f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
0a00e9388ebd582fc204cd01103f7e8b

SHA1
172a7f76d76bfd0a82f2059fbdddd1f45f4b9700

SHA256
4fdf7ac7776254413c80e6ec4dec259bfe2b1f14b9e409a67436a669b19e34b7

SHA512
c9aa22e705745fe0557b49dc21984a0b5dfe2963a9c997ad142023848b1bcafa6abe47afa9f61d6f9a7d53dca67f9aefe5e4931a7e6fa50dcc6de6473b7c6f04

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a4f56394f651165ad1374937bdfbf663\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
6835a281516f023aa1e0b8a40bfe9061

SHA1
ac8f518867d05a759da2ebf03184357c3726597b

SHA256
a97df7db3210faa86e63ecd872c4674e534f50e71c58f78326746eaacb33312e

SHA512
2f240fcd2de23d9065237a01d7de67dd4ae208c22e4ddb327db643be2c2c2953e93612d750d6e98052d3e8f55dc4dae90794792b9bbe5114a44ebf66bc8689be

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d83ee0d990fecce159e9e7c427a98c89\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
6c6e4206f1039c5f91b59963301f2425

SHA1
cf539c09c003ccd8ec59f4f98c673edc807cbcd8

SHA256
3a871f634b33f0a37f2e8200c9c54d5253f0edbe0ef843cc3753e55267d23a43

SHA512
5a7979a7b40a90a631121697f96a64d6abf6d0747320d7b9d14bc9db39a509d825df895939229c4eba938a2724780c821d678e912e386015a9d9fb2f112e1d06

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
0b1ea668c6d9cfe8a995b99ff81b783c

SHA1
c1e58cdb5f58358e4b741151324acf34c8476298

SHA256
b7cd4d2af5fab7ee4ad69409dbed999ff15eaff7f8c37cc59e08dfbc4960c0fb

SHA512
be2e760eae26b01a67d343d69e52c6adabcd3cb0cad5b01fad2c114765329f091ec4f9d65bee1eff2bfa35b30dcfc3f24216b70c0184719d84b5d0eef2c6917e

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
2ab88e8f1be2ab59ff1050a33be20ea9

SHA1
52d40eb365a1fa30a7d0d7780debe1d9e2caf5d2

SHA256
06e350d83cc8ddd41bbce0f5592e42b8c1ee53a0b3186dee6b3cd825117cf7d7

SHA512
3b5ccad4156caf1e61f10a59fc831355167abe4399d4a72fd2b8f8fad57abff56fc27e63c8dbb4663eeeeb0abf62b227b6fb32471a48fb9dd149ea172a1bd1f4

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
921e60cb2628cb686226b3e48f60c687

SHA1
606a53229089dc9f1361e8ccfcd7a0007b4983ce

SHA256
5c12543ec48e093093550af32b335bdae5cfb47f426227c31c0c367675b066af

SHA512
f23023a4e7034c4adc524e382b676d55f215f947f3f7975e0ce24d4d1deaf7f6119a54ff1803311f413b6994f4fed2d6cb547290056f230b4dbb322a23201add

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9167.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9463.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP97AD.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
memory/324-407-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/324-408-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/324-395-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/324-389-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/628-176-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/628-177-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/628-183-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/628-312-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/628-276-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/640-329-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/640-331-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/640-335-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/640-342-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/640-345-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/640-347-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1144-422-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/1144-403-0x0000000000A00000-0x0000000000A66000-memory.dmp

Filesize
408KB

Download
memory/1144-409-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-287-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1608-286-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1608-352-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1764-162-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1764-304-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1764-160-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1764-154-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1932-137-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1932-142-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/1932-295-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1960-119-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1960-169-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1960-126-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1960-120-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2152-101-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2152-185-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2152-95-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2152-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2192-419-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/2412-343-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2412-353-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/2412-355-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-380-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-379-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2484-314-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2484-306-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2484-328-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-333-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2484-334-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-332-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2596-354-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2596-293-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2636-297-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2636-298-0x000007FEF4260000-0x000007FEF4BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2636-296-0x000007FEF4260000-0x000007FEF4BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2636-356-0x000007FEF4260000-0x000007FEF4BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2636-370-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2636-358-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2636-412-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2636-357-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2684-106-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/2684-171-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2684-111-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/2684-105-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2776-394-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2776-381-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-393-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-375-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/2928-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2928-135-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2928-269-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2928-6-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2928-7-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2928-0-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2940-161-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2940-32-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2940-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2940-13-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3024-190-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3024-275-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3024-330-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download