e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
Size

1.8MB
MD5

d25ca1c056e52c3de957cab66faaf9f8
SHA1

933dc579e995f35880f06bd44557a04931611648
SHA256

e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382
SHA512

3e9cab55ed9260c6026e1fe78405c310283e80765e18c3697d1b779ff8f703697141c11240d1e6fc3bfe7fa314fae0c739c49636e95819a838180bf0e6935f9c
SSDEEP

49152:XKJ0WR7AFPyyiSruXKpk3WFDL9zxnSf7/i3da1YS6ozB:XKlBAFPydSS6W6X9lnG7/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2608	alg.exe
2536	aspnet_state.exe
1468	mscorsvw.exe
2312	mscorsvw.exe
1632	mscorsvw.exe
1260	mscorsvw.exe
2072	ehRecvr.exe
476	ehsched.exe
2744	elevation_service.exe
2904	IEEtwCollector.exe
2668	GROOVE.EXE
1976	maintenanceservice.exe
2028	msdtc.exe
3040	msiexec.exe
2448	OSE.EXE
2484	OSPPSVC.EXE
1500	perfhost.exe
856	locator.exe
1948	snmptrap.exe
2124	vds.exe
2600	vssvc.exe
2132	wbengine.exe
2112	WmiApSrv.exe
1048	wmpnetwk.exe
2932	SearchIndexer.exe
2588	dllhost.exe
3028	mscorsvw.exe
2556	mscorsvw.exe
1392	mscorsvw.exe
3056	mscorsvw.exe
2156	mscorsvw.exe
2220	mscorsvw.exe
2176	mscorsvw.exe
2580	mscorsvw.exe
2296	mscorsvw.exe
972	mscorsvw.exe
1056	mscorsvw.exe
2156	mscorsvw.exe
2388	mscorsvw.exe
1308	mscorsvw.exe
1552	mscorsvw.exe
2260	mscorsvw.exe
1872	mscorsvw.exe
2864	mscorsvw.exe
1912	mscorsvw.exe
3012	mscorsvw.exe
656	mscorsvw.exe
2552	mscorsvw.exe
1572	mscorsvw.exe
2156	mscorsvw.exe
1752	mscorsvw.exe
376	mscorsvw.exe
2272	mscorsvw.exe
2388	mscorsvw.exe
2248	mscorsvw.exe
788	mscorsvw.exe
2024	mscorsvw.exe
1760	mscorsvw.exe
2752	mscorsvw.exe
2928	mscorsvw.exe
1652	mscorsvw.exe
2872	mscorsvw.exe
1472	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
3040	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
756	Process not Found
480	Process not Found
788	mscorsvw.exe
788	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe
2928	mscorsvw.exe
2928	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
2856	mscorsvw.exe
2856	mscorsvw.exe
1004	mscorsvw.exe
1004	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
1452	mscorsvw.exe
1452	mscorsvw.exe
1304	mscorsvw.exe
1304	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
340	mscorsvw.exe
340	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
768	mscorsvw.exe
768	mscorsvw.exe
2140	mscorsvw.exe
2140	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\af6fc5d9bfe435d8.bin	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\locator.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\System32\vds.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM12B6.tmp\GoogleUpdate.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM12B6.tmp\goopdateres_lt.dll	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File created	C:\Program Files (x86)\Google\Temp\GUM12B6.tmp\goopdateres_ms.dll	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM12B6.tmp\goopdateres_fi.dll	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM12B6.tmp\goopdateres_zh-TW.dll	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM12B6.tmp\goopdateres_hr.dll	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8E7A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC053.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA0F1.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD46F.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP935A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030f7fe42ce96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090c6bf43ce96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d03a1a44ce96da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1300	ehRec.exe
2744	elevation_service.exe
2744	elevation_service.exe
2744	elevation_service.exe
2744	elevation_service.exe
2744	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2868	e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: 33	1144	EhTray.exe
Token: SeIncBasePriorityPrivilege	1144	EhTray.exe
Token: SeDebugPrivilege	1300	ehRec.exe
Token: 33	1144	EhTray.exe
Token: SeIncBasePriorityPrivilege	1144	EhTray.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe
Token: SeBackupPrivilege	2132	wbengine.exe
Token: SeRestorePrivilege	2132	wbengine.exe
Token: SeSecurityPrivilege	2132	wbengine.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: 33	1048	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1048	wmpnetwk.exe
Token: SeManageVolumePrivilege	2932	SearchIndexer.exe
Token: 33	2932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2932	SearchIndexer.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeDebugPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeDebugPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe
Token: SeShutdownPrivilege	1632	mscorsvw.exe
Token: SeShutdownPrivilege	1260	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1144	EhTray.exe
1144	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1144	EhTray.exe
1144	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3020	2932	SearchIndexer.exe	56
PID 2932 wrote to memory of 3020	2932	SearchIndexer.exe	56
PID 2932 wrote to memory of 3020	2932	SearchIndexer.exe	56
PID 2932 wrote to memory of 2400	2932	SearchIndexer.exe	57
PID 2932 wrote to memory of 2400	2932	SearchIndexer.exe	57
PID 2932 wrote to memory of 2400	2932	SearchIndexer.exe	57
PID 1632 wrote to memory of 3028	1632	mscorsvw.exe	59
PID 1632 wrote to memory of 3028	1632	mscorsvw.exe	59
PID 1632 wrote to memory of 3028	1632	mscorsvw.exe	59
PID 1632 wrote to memory of 3028	1632	mscorsvw.exe	59
PID 1632 wrote to memory of 2556	1632	mscorsvw.exe	60
PID 1632 wrote to memory of 2556	1632	mscorsvw.exe	60
PID 1632 wrote to memory of 2556	1632	mscorsvw.exe	60
PID 1632 wrote to memory of 2556	1632	mscorsvw.exe	60
PID 1632 wrote to memory of 1392	1632	mscorsvw.exe	61
PID 1632 wrote to memory of 1392	1632	mscorsvw.exe	61
PID 1632 wrote to memory of 1392	1632	mscorsvw.exe	61
PID 1632 wrote to memory of 1392	1632	mscorsvw.exe	61
PID 1632 wrote to memory of 3056	1632	mscorsvw.exe	62
PID 1632 wrote to memory of 3056	1632	mscorsvw.exe	62
PID 1632 wrote to memory of 3056	1632	mscorsvw.exe	62
PID 1632 wrote to memory of 3056	1632	mscorsvw.exe	62
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2220	1632	mscorsvw.exe	64
PID 1632 wrote to memory of 2220	1632	mscorsvw.exe	64
PID 1632 wrote to memory of 2220	1632	mscorsvw.exe	64
PID 1632 wrote to memory of 2220	1632	mscorsvw.exe	64
PID 1632 wrote to memory of 2176	1632	mscorsvw.exe	65
PID 1632 wrote to memory of 2176	1632	mscorsvw.exe	65
PID 1632 wrote to memory of 2176	1632	mscorsvw.exe	65
PID 1632 wrote to memory of 2176	1632	mscorsvw.exe	65
PID 1632 wrote to memory of 2580	1632	mscorsvw.exe	66
PID 1632 wrote to memory of 2580	1632	mscorsvw.exe	66
PID 1632 wrote to memory of 2580	1632	mscorsvw.exe	66
PID 1632 wrote to memory of 2580	1632	mscorsvw.exe	66
PID 1632 wrote to memory of 2296	1632	mscorsvw.exe	67
PID 1632 wrote to memory of 2296	1632	mscorsvw.exe	67
PID 1632 wrote to memory of 2296	1632	mscorsvw.exe	67
PID 1632 wrote to memory of 2296	1632	mscorsvw.exe	67
PID 1632 wrote to memory of 972	1632	mscorsvw.exe	68
PID 1632 wrote to memory of 972	1632	mscorsvw.exe	68
PID 1632 wrote to memory of 972	1632	mscorsvw.exe	68
PID 1632 wrote to memory of 972	1632	mscorsvw.exe	68
PID 1632 wrote to memory of 1056	1632	mscorsvw.exe	69
PID 1632 wrote to memory of 1056	1632	mscorsvw.exe	69
PID 1632 wrote to memory of 1056	1632	mscorsvw.exe	69
PID 1632 wrote to memory of 1056	1632	mscorsvw.exe	69
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2156	1632	mscorsvw.exe	70
PID 1632 wrote to memory of 2388	1632	mscorsvw.exe	71
PID 1632 wrote to memory of 2388	1632	mscorsvw.exe	71
PID 1632 wrote to memory of 2388	1632	mscorsvw.exe	71
PID 1632 wrote to memory of 2388	1632	mscorsvw.exe	71
PID 1632 wrote to memory of 1308	1632	mscorsvw.exe	72
PID 1632 wrote to memory of 1308	1632	mscorsvw.exe	72
PID 1632 wrote to memory of 1308	1632	mscorsvw.exe	72
PID 1632 wrote to memory of 1308	1632	mscorsvw.exe	72
PID 1632 wrote to memory of 1552	1632	mscorsvw.exe	73
PID 1632 wrote to memory of 1552	1632	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe
"C:\Users\Admin\AppData\Local\Temp\e2b6a62cf34a6c1cfac113db06300cf283621a405eb4ef67e5de7a0f41145382.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 248 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2dc -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 318 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 30c -NGENProcess 334 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 340 -NGENProcess 2d8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2d0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 350 -NGENProcess 2d8 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 32c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 328 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 350 -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 30c -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 36c -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 30c -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 378 -NGENProcess 36c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 370 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 374 -NGENProcess 340 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 378 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 348 -NGENProcess 340 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 38c -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 320 -NGENProcess 1fc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 32c -NGENProcess 214 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 350 -NGENProcess 368 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 344 -NGENProcess 214 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 344 -NGENProcess 350 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 37c -NGENProcess 2ec -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 368 -NGENProcess 34c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 34c -NGENProcess 364 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 33c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 31c -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 37c -NGENProcess 31c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 31c -NGENProcess 2c8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 37c -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 330 -NGENProcess 31c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 218 -NGENProcess 37c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 324 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2e0 -NGENProcess 218 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 38c -NGENProcess 330 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 394 -NGENProcess 390 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 390 -NGENProcess 2e4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 380 -NGENProcess 30c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 30c -NGENProcess 374 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 30c -NGENProcess 380 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 380 -NGENProcess 294 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 30c -NGENProcess 384 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 360 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 380 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 37c -NGENProcess 3c0 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 36c -NGENProcess 3b0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3b0 -NGENProcess 37c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 384 -NGENProcess 398 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 3b8 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 398 -NGENProcess 3d8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3cc -NGENProcess 3e4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 380 -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3c4 -NGENProcess 3e4 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e8 -NGENProcess 3f4 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3b8 -NGENProcess 3e4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3fc -NGENProcess 3b8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3b8 -NGENProcess 3e8 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 404 -NGENProcess 3f8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 40c -NGENProcess 404 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3e4 -NGENProcess 3fc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 414 -NGENProcess 334 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 414 -NGENProcess 3e4 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 404 -NGENProcess 334 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3e8 -NGENProcess 408 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3e8 -NGENProcess 390 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 434 -NGENProcess 3e8 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 424 -NGENProcess 404 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 418 -NGENProcess 43c -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 334 -NGENProcess 43c -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 418 -NGENProcess 3e8 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 390 -NGENProcess 418 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 390 -NGENProcess 444 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 2d8 -NGENProcess 428 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 428 -NGENProcess 3ec -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 430 -NGENProcess 450 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 460 -NGENProcess 458 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 470 -NGENProcess 2d8 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 428 -NGENProcess 478 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 428 -NGENProcess 478 -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:1932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2072

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:476

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2904

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2448

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:2400

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
db842f2fcd757dc99c9e88ff5445f785

SHA1
c27e4a209047d9b09634d05668af849ccd2377ab

SHA256
42dbd70165875245258417e10df3c0a242dc1779a260b0b1bd128be26e14f274

SHA512
fe6aa0ca121e22c955e21e3f53e6faf1a8a6547af21a0d59087be8dd5fc0d5fbdfdc64081d27b14fe44bf0f45aaa5ec7b1f5ce28cd8dc76f8b2c6842b4426453

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
fadc9a1fd7e08a778ef5bdb93183009b

SHA1
963cf36ec16d5e6fba18404e7f62e0722dcce93d

SHA256
bf79c46995d39b42ad08fb1a96f44832297e7247b3b62dc1b8f6a2c5f1f980aa

SHA512
5cfe77a205b82113ad62ec19423fb434a4a811fbf6e01b650052a15653a21293ea7e50e09a00a7b8c7c22beee460712e7243d3d2bc19ebb75303685d3e8c2d69

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
270680cfa28cd1e89eeaac8fb7452c22

SHA1
8e4dd00dfc0123ca878754187f26453e14af6301

SHA256
532617790b4eac44e664d899c2e591d744638d2ec7acf8bedbf3f5310dc22edc

SHA512
c96a83265c48804c7bac3258f098a40500bc5a424f77b30b3e2c9fdf9f1a52d94fb92c6fc32f074bffa8defb7d592499a2fff8a265f61d3113e7cc6905b1d9c8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
665c826e2f13505ad5616a92f315fbe4

SHA1
bbc278ecf305936143633fbdda022fc37c2e20b1

SHA256
024735d7727f5364fb503fa69171ce7f4cad123814a24682b32cdb171b726e9b

SHA512
247caa6721b6e365feb0f35e8409fd2bd404340024b55d54ae0a5632527bddef1eacb5fc0c8f9ca1a36bbebf14225bd098ab4e32b227b2d78efe9477ec5fb7b5

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
eb818e37b61795936de8c2bcc2078b8a

SHA1
075d6f6f612bca15f0c21b99eed5dab86b4ff199

SHA256
3a41d5107fe848617f4e00b45cfbab3a05cb355380589e15e00e013e671978c0

SHA512
84dcf368b1f3eda4c810b5e30790b22b5d6e61c60e54a1e43cbbdd3ee633b235d5bb5e32b203f3e879f8701a81ed38d31d2ff5b9a5b000d6323b0b7f380039c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
4300a0b6932b3a1cc1892b29b6774752

SHA1
432ac10bd2c27f9b17575b24cce42e1a268d9025

SHA256
87ca7f5edde566257b71bf900d10ded569a44d4494da7b7dc6f58d990e87e688

SHA512
14a47caea6d8f7910890d6aad53fc39c33781d9c4f1ac11134d7bdb0f4ecfc3ae571bbc96bdda83dac8ccac373e845b4de5e8e70f2f013d870e0941d5c5df3ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
061a21784a5aa813d28276a9c8075ec8

SHA1
37c2ba315045355f3880664ffe1537789543cfe7

SHA256
e4928eed41cb0dc551f5d797b46cf4dbe2f108410923dd81f0ef098ab492b809

SHA512
597b202597fd11c79d46a85bc84aca9f5891f4ceaa3ce5203a155f3d0cbb5d84f6cd7b8118e702bd15a47051866614753cbb34ba7a0bec80e104c189980dc5e2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8893897c1b63cf75b637dd997151fd67

SHA1
89af605e6b1e084c77a20bb11be23b3388943709

SHA256
a57f45fa75977f40c2ccf3e43be69fe108419ea93f007274b2c3db8a8a29add5

SHA512
3fce08856196c199c1b3224bf56f33a5d011ab1d18c26f9a4d87253c3dbfdff29d7b52aa5bd87f70cbd2e666eb9488a08d624b6aaa055f259d5a52bd6e1273a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c5ad0776e6c167ee6781a851bc82a75

SHA1
06e292568629adc5d9ce122c006f27c28215cc11

SHA256
358a9c278ee953069377a47c7d2aab37eba2bb05e07e444b0012bac1c26869db

SHA512
aa32cc541be773d3aff66d89d83842d61bb92a01279a9442931496cc1bb980e21648f7311e8f5a321ed21fc4995d9c27bf576b25f611e606f6957a3982ef9b25

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
759bccc1898b8ed2b25e1fb9e35dbd9c

SHA1
b5ae09411ea140840086a135f6e653ae7c576dc8

SHA256
0ed99efbe3b84ef5b734988ce6316d4a5703b77c59835c2a100c6b1f62ac31f3

SHA512
8afbd2e11cd49da7581721f4eec7c04a6cf22e08e3328fdaaed8090e57c45796f6bfebd445a139762018b9af44ab6b5905979a06ff341cc55871d0afcd8c19e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
41a006e6b0ac9486ad310451870b3648

SHA1
9d7ca780cd91f172474d3a17ea6bb6c1852abba0

SHA256
ea6600912c242a3ca6ca25ab9d6543e3adced02ce0906cc6a22a7062497c5f64

SHA512
fd3fae9f84360bd6785b025121ba3f7be5912237bac6531fc5096ad09c5e3039993a0bf9da6fc6a734e932395cdae919c4629f739e5e8ba4ba776002c4dcde61

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6e7982104d2e2eef106694cf593c7462

SHA1
3e6d50fe4ea0145c94ce4873221fe3274ad1b794

SHA256
3d80911831a742342baa39b7487cf72dabf87dd1855ff047f1c4202c841b55d5

SHA512
64eb3a218d8ced89e01542eb590baabf0c4a2a94aeb151dba24df33e6f6a89abc1591fcf333883df6c2a8632b552ceda1231fafbab004e62219068b0a3a9688e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9173c765feab60d9b3c6e8466e9636f6

SHA1
74b0bb77bbc5cd4868da491a97d959b753729b81

SHA256
d642d2e65b4f19ec2983275142bf5bbf7af60cb1eefa863f87cdc8affa3eea0c

SHA512
4b6b704ad89526c7430b0f623e515657e2f8211d3660f1ca7d410e7cb8ec3d11f923478d9ed7cafaaa8203508acd9fd9442dd496bef690b00e4db0d8e6713301

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
13b698903367587c96b69f50a54458a4

SHA1
b9eddb59adf6c4dbf94eb373a5689e1504d9db25

SHA256
1d2f837f77cf5b8abff7cac95545162f96e0f08bb9ee2acd0b8c8d1d87fa1e9a

SHA512
5e3dd65e48963fd0f15f648d58b96d92d67e06d0f238d2c2df9500142706b5d0ae74634eedd3cb5bcb62987cab771c8e973f27ecb3cc7781a9b168443e922286

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
420da304d4a2dbf63fe58c964ba5d151

SHA1
51cee101d8ad11c9b56749b86928bb4fc4242b08

SHA256
dec3a4a2bebe3f4acd0f3faef0bf97d40f16940929d06b5c2f2cf050e1b86a34

SHA512
4530ec279f0daed12db51d1d57cd0023946a0ed1365282afc084028673f9acb6d6116f60f474f752c19df027cc0e70b36db04e68e50adb400729cec0b869668c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
41ffb428712049324ad9a946faa0ffa2

SHA1
07971d6c96408b9ae3f3d5866ceadd37aefa9de4

SHA256
b5f4a5d23f74b8a1467d5beec929c84f31031b809d78b2b6b5703bdd7a0fad9b

SHA512
b82e917ff72c867cdcf533f50fdab35a78f8a1c494453f2b3ad091c85a49b2c886bebe44ee96253a78e6904925a64ce737ae210a95af4ef29795319072ddb9d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
deef61e5e110502c00523eff90b15d93

SHA1
1383bc63cc68c4fc36cb2d63e9bdc8d406640f23

SHA256
b9a1057f55e02998b5f575edfcc81a1d7f3601c2e04a30126dc9c88465457d3f

SHA512
0f9ad5b2193782ed9574ef1cb7213957b3e8639791784c0c6f5ac9a544487a8da33a7a230ce05c98ee821e0e9a9e80db81a9cfede7f0ca27886355a437b560e5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
99fda02972e48b638af21ca308105e16

SHA1
9924787f2012ed9e65c4f4987c56eda1ae3956cf

SHA256
0dc0bba833b1e1800dbc9d8fc5f9c3f4a538a38cdb543c712e1b737fca3d5655

SHA512
db7749a35084d891ba4eba6b1744a9b66d07d41ad90a8350734ebe5b78afd510a6e16b7a3636347a68a6a29a43356d4cc5f01760461f0a56b09e9cfa9c8ad847

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
cd0668a3123415ddbab1b2f73b7536bc

SHA1
1462ba8be62a94de3d9be4f8a7242a0dd36dca42

SHA256
c1021ae910cb0714b0bdfb1d35a7288351128220fb9d0d6381540537230fcd92

SHA512
992ebae3730dbc81e072f2af5fed05c240d3659bd26a6f9c6bcc0d2431a870b59152d8013d5ffbbdaa3ccecd4a251fcde39cf800167ee2d8000e5c0b7b6c91fb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
95dab2f4dfc29849ae28b92cceacc550

SHA1
169421dc7d632fd5c4c1057868fdb800b32ac728

SHA256
11c970cda357092630550fa31bb26550d254f14f5ed94cefcccf0a288d5f957c

SHA512
b571f29ffa9cd04157c5b36946ec0e74c3ce46105502ee91ac20516a58584620d088f01aab591a0c690292014cd3778efac234f67e096275db1575f85b7b3716

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
86f9ea1f543ed9ad5c957988a75bfca9

SHA1
cf70699e5d2d14385b9e194ed8e4d97ae9fae718

SHA256
fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001

SHA512
24066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
84a824870556b89feb0443cf5a38e3fa

SHA1
074e0ca90891be77e0f2005f0c945d048b6614e2

SHA256
8bc8e68ae97e77f0e5a22700014a48b2a8c74970369008569431fa34c0d659ec

SHA512
b2079f2f639af52de78ad9bc328c8848bbd6e55f312f7a0182ee395d50ec764c7bd0ef781a772ba743cc5cb3e718e067cc1dfa1c6ec2756f98e30be85f75c780

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
7b5fa4e3c1eabf69eb630147a4ed48b5

SHA1
c4211e8d89ed85d511f3bbaa3e6b774ea5779bd8

SHA256
ca1dc94675e436b84d5caa94f906feba8baac4f56580fca7412f495b951d0273

SHA512
6fa0011660d292fde267a9badf728c99848066c7003b2560b9c27ee258e5af54c01ff83a02584e136140b967dfeab62dce551a76e459de652211d322e8405c32

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
9cf9c70f4e89faade70dcc29bbeda969

SHA1
2479bef018076e5f9d5ec83ff62f4607395590ee

SHA256
07fa6ebcbda2467e8ca883e75b8df7c79f6959f327e26da96c089baa3e2dc5f7

SHA512
540effd8d66b7fdfdcaa9cf0fbaaea92215392baeb2faa4b81b1b29adec25fc2d7489b0d0ef3298648bbc5c781acd1962d22496d24592ad7f49670bb078a8702

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
fa8b04aed5e7b9b605263a7f737ba512

SHA1
134c33fb8179ac5d9832d560131c3d186afcd6c3

SHA256
56f76ffcd1963a7f9fb9a7e487c1d9e3e2b143bffdfa98774dcde449ae4d6d17

SHA512
bb4d2f7f607743d60e961c15ade249187acd3218b0155c138ceae890a05437c8b4b67ab8e00ee42c6b1704821a20052fedccc037a7884e235323fa9566b541e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
67765db237bd126f9a3719b1ebc7af47

SHA1
4741f36a25ba02b917d0c18eaad6d1d6212434d3

SHA256
eb6aa188d60496436cafc5d35c5d9e62a6cfd8608e5228c498a6c66cdba8458f

SHA512
a840d0d5444f781db02c2d9baf60290e45ac8c7c16fdfd23e43240e4a4a7d736dcb692e4efd224864d19409e32a1f24317fc5d94fd2c0de3a1a1e28c85fc1d0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7c83211efed67c909ee54c2ba0ba249f

SHA1
39019c35715ea534d09e680abf10c82a70f3d389

SHA256
6319c192afac3cd501b7212ab0062dadce0b12ad26f1e0b685d9111a21447d7f

SHA512
788e6809abcb8caf14b7e6ba3cd99498cc543632a992deb686311a8369ea7bbd287ac2e650fe638e8409f1c2ad3d5a033fe413d4f19fda23a93b92b21e075e5c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\af6fc5d9bfe435d8.bin

Filesize
12KB

MD5
ae9b4357ef6b4d24135f0d0f55148281

SHA1
ba421d02fdb5328dd5329f693b049d77e789a5e1

SHA256
2dc1a13c8ec9f7e886af59cf7a9403e4f7eed0637e4fc2a0ee1ae9d087e8cdde

SHA512
92f395df3c497504f59d3d4530fd39b225702645c9cf1c8ebda5a424224ea2dc0c0ffb819d3e2031253f8f465ec069ff6232cf1dd33fc2091fa63e854f2d5c8f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
859a1676efb6a0acd02edde76859ca00

SHA1
ac0d8874414b34dc51dce5779748cf23e08c3619

SHA256
2c08cd5329aa49cf229844e31bb1e686729f6229ff1974d3d0d4f01fa1d236b6

SHA512
09a6f86b0031073efeffaf15f1a23a2cc9268fc40a3f0b56014a144281a6247a7a26b77dbcbcce7391866c4f4bc86e03c784a620b2e3d84103d2364ed3af8944

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
b98c0c6cb07f81eceb556be55cea0cd9

SHA1
ea80f9c29ac50f28e3c992d59a0e154dc576ac0e

SHA256
3f22aafafaa0ca29f07b9b98debeacc4db62436ac835bd5b33da7fa0fd2478b7

SHA512
6c0aaf1af40cc2d6810be9c02633f5639ea008d656862c2c92a8ce57c5dbe011081bf1c04bad11eda6333d093abe60e0b59ed3b7b6639b1f71142112d22672a0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
67a6d6721c74b6e477d5d22cb3244791

SHA1
adf008b13794b7ccd67260600dc204d3c35bdf07

SHA256
19d1889adecbc12cd9285d6e7a8cebe7ff8d0a5115b57c330fe3623bbf7561f3

SHA512
ee8fedf68a7e4ffdbf10ccb1d613a28ccb3ac782309a75fd8cab10e4b5044cbb2be35350c6db74750d04107e34bd7d5a07d5282904819a14a3cea2349bdc1155

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
276f9bf169b462c99d16dd90d808f9f1

SHA1
1070deda98821b22dff0604edb6004b389801bc1

SHA256
49f880bd021f03044d4c96bcae4b1bf414d18e20cb8c081869ccd4526c7b52a0

SHA512
78d93b89b8ef29a39955469580392362ead4914ae1caffb3629c85e3356eaefb37a7f5f140530fb578fe2e31791b0b32e98d01d6457d85b7d246a97d6f598ce5

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
9cfaa1004696d737b22cb623174dd323

SHA1
f7d56e01397d19d71c58e0e070e2fad5ce6784d1

SHA256
10838157ad1cb52b2fccb50856e616e09029b75541f2b45787690c2639886065

SHA512
99a2f0dec63382bc5a9d12dff976116574aeeda2939c0aac043abe12d8f8312f540a81d83a64b86800ddb08d65fe0f4e1898de0cedd6af8994baba2e7b882ffb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
bfe73c184992af3678a54f5f650eb4c8

SHA1
fb5f91187626ee9b583c4683075eb1012218b9a1

SHA256
f9b7944cb4a6e6f5d1f39181a7d5f73665ebb7064c88383dfd1a48971008645d

SHA512
ed6994a9c6ea22dc524ef957fbcca550a4c274d0edc9260fb9330104e37963b520132c941f359b4a4e3414fd71cb30934f940910c51aca14b54d3f9d04ffe93c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
623fcbba93b0ecba7af0b5b496a146f9

SHA1
d3b6b3c08b5b0d9a1cfbc87025943c8c57922269

SHA256
38d70731f8cf75e984cfe2831c837ac65408be3e41d8bd46158f72e7ff676bbe

SHA512
53067121c4167307295f706c5b0fc159c67c26ea9bb36145d547bee30cbe69bb184c02b57693c01b1ba6755da47cf782df06af2aaa8d1aa6e5640cfd09a76a8d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
6d50e63fcb6765f7bb7e94cd7d52549d

SHA1
db809c6b579e3d67e5dc70213b2849f61b09e050

SHA256
1849a873296f4bacb5ce094bef4f10c42753e7938fd833301f128885907ecb2d

SHA512
0daead7d1bb93c22a5a3ecd026a5bfe2345cbb7f3a2bad632034fa9ce035c2ef9b6efec6753b0cc16468338f54ead39a21ccefecd3c956c7b54db09eb18706ae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
fedbbad9635832a40b9872360066a25d

SHA1
6d2b176152e7be0c428d6ad35dd36a695461a0cd

SHA256
bffa80641727655f0a77c2e8583c074982570ccdc440cc79a49a7683b1b780fe

SHA512
ccef7554ce768a049ed9e249e78833704625d71b53a6b93b8ab7f0915944af2ae35ed0c8e83961b35bbff80a14b3f5cbb26de3722f9b6b5759d616126c1314e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\159c3a17f7d9ec22374879bc5c223001\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
3f261acb500a02ced0b41d89d778957c

SHA1
cf81174a09cdbc0ffad9d1d558afcd53a77ee933

SHA256
5edf9ebddcc256fc949d12285206268054b49bad5033d8882b0a2239da74fe5c

SHA512
b858756b8964fa719647510bc6cd389e83021cd42ef26e8542c89672a2f50bf70a6dc9e54ebc7d1dc820a556eeeaf42787db5c4c348c9351179850fcaa1f596f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\76b10ad64649305fcf63366e1738795b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
5445fe0ffeaba6da8c21b464ac97eab9

SHA1
6162dfd0244e59cb4dc9a3bee3eadcf097430652

SHA256
851fcb9f26e8bc04c4d9344e769c25e266c8e986db625a2f4c0108cc2b0b8d7f

SHA512
50113fa47ffd373af3ca79f742b65224d691dd96f78ef91e557eee5664dabf16fdbf3b7e7315b86132a836c9170cc3f0badd6c251d82054974d2e5df2375d108

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7916c9eba0a531ee0403e07263e24db3\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
29d8436fa1852310ad9c14276989187f

SHA1
b3d941974fa30875afb5f46fc7529c792edc45a0

SHA256
725233b795312abe180eb3f43716fff31e245499481a1399abdf44d1d0450c3c

SHA512
2ab530011320e155c1bd3349790b5c27022909e9e2c17d488ecdbf8b005fbf2eec280ee5fba554522dc6743663b5a4781ff587434400c3a30927f3d86ebd184f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC62C.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3f48dd1818318a03204b0cdacc5a3a0c

SHA1
4a5255793bd658a4298504359db724db8f8fb62f

SHA256
6122ed1b55af361b3b73efbe63e4b554f91c44ac45835ec43cc508c0f1a29da2

SHA512
c12b701ca85f38095e101cdea665bdcc41a448ed0423d379cf12124740c00a45492324c7f1f60ef87c1751d3dec76a67dde4879a5eeabec4e88bea65660c2fbf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
2ddcd1768cc0dd1cc7c0467227d336f3

SHA1
2b2c3076a3069475a40fe2c83037eec6828edcaf

SHA256
4f264af112e63b8176c3b2f1056da0df950d8310589b28e69f51b3f0fc25a8c7

SHA512
7a4eb35f29dc6cd5f2e48810f5ae8f8eb6629ce7dd06f9f0bf18c12bfd9a00cff4344801292799a07ff318303d9d3f40510730812cc48bbdc8543f043168cfba

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
4b3257332d082815b9bb6719ce8975cd

SHA1
ac442d566ed7ac641dd2530867047db33f405527

SHA256
6f103ba5c0938fd168301ca5f6d12463bdeb036b50a470a224dd8eff5b8dd9db

SHA512
00802a9dcc09009c3c75201393820a8369159c5cec4e0b1fcce0e8cab029aa738674007d834a9c06a5720df70e048c7ddd805ce2325b2938f66f8722be4d7f36

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
4b3c7da18b447f30b586ac5b42658357

SHA1
20d7f5fe0e7bf9f78687fbc1327791e253b38dc6

SHA256
49a031eceba1d292fbcbdd08380d2acfdac642749f86a0d9809db8241e5b2448

SHA512
4fe3bd082bb18e32bfe47e09a968ace42197852f7bfa1d8e7f1840e28faebf117c904852c5213edac17cd11afaf06fe96e487fbefea681db727e89423b0b4ba1

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
c69c23ffb07ae9a317a1353900e77b0a

SHA1
71324caa409fe1afc9744b953aa27720a8971c49

SHA256
1cb6f53e4234edf51f1e7bbb8a64a147faac622806c61e8f71a7e1abfb22266c

SHA512
3d29c20cb3cccb9bbcd6ef9f16587409780c636091f73e7569d3bd20f86ca54e47e049a665aae251b4b220858e3141b261b0ecb1a881580aba2984a67ad24f5a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
d7ad97b375b28ff957fbefcc99e88388

SHA1
ed264f3600743c85c636f10d8e780925eb447911

SHA256
f36d07b03c7db67d569b8c1c018aa72ea5cbbfaa2f3b4dc1b8b996b017244b38

SHA512
59187011fbffdc02e571fcab1ee598be837eca0daa2797d99b0e80d63e9ddd8b855569835a06fc5478998dc379d8d1512e07cc16f794ef8b66e5fe11fd001a41

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
58e229f5a8008cf1dc1e4e6f276af95d

SHA1
2728fa2da744bd682cdd732b022de759f1536e27

SHA256
daab663c316f5fc5a2ca6110da10124bf44b9cbbcf68d12cf9fa7bc70fd24589

SHA512
8e333f866c28e2aeb56e14be210744b68123eee109fa788ab9923a972ad7dfb2ed7b3d3b2d1e987ae623d6bbfee47a073d7a9e717b1956c5ac11d4138a7f65c7

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
edfad3de713d5519745daa3b71ee2a96

SHA1
1a1840a6825af8d7207d6f633a03a1a1dab153c2

SHA256
8fa7a3f17b0c5a13a4f560b18df9c552d67a8a51ce2296d20c1904a9d06527d7

SHA512
d2f1d84f4d2a3f61aa68ff0b17a7374af63dc3795e714370c1c7d26b64c94d0cc8fedbcf404c5c5c46b657aa1793571a2d2fb8d6453ddf131cd4ddfde6dbaf23

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
3bd918c335cf8fb645ecacc8348a100b

SHA1
d4e598a2a5a283aeeb3fde728ffbe8de4b91840e

SHA256
f34be71734c7f536b5e05e613ee42878f89c63598b34ae74968895d3a3ed7744

SHA512
33663cd3e591ed9509a3355de48a3fd5cf61420d4ffb980e7222df719cbd6b7be9c811fab1b935da6262e34f10972d6175a4572adeb067236246b32f00f70416

Download Submit
memory/476-165-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/476-164-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/476-212-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/476-171-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/856-292-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1048-317-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1048-324-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1260-194-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1260-138-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1260-131-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1260-132-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1300-255-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-210-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1300-196-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-272-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1300-328-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1300-192-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-193-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1300-245-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1300-242-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/1468-130-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1468-93-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/1468-88-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/1468-87-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1500-284-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1500-279-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1500-327-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1632-111-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1632-112-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/1632-117-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/1632-187-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1948-295-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1976-231-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1976-222-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1976-214-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1976-232-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2028-227-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2028-290-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2072-174-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2072-176-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2072-208-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2072-149-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2072-150-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2072-177-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2072-156-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2112-313-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/2124-299-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2132-308-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2312-143-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2312-103-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2448-302-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2448-258-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2448-248-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2484-274-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2484-265-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2484-276-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/2484-271-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2484-325-0x00000000741C8000-0x00000000741DD000-memory.dmp

Filesize
84KB

Download
memory/2484-311-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2536-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2536-163-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2600-304-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2608-157-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2608-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2668-263-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2668-200-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2668-206-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2668-203-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2744-179-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2744-186-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2744-238-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2744-180-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2868-1-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2868-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2868-6-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2868-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2904-197-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2932-340-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/3040-239-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/3040-243-0x00000000005C0000-0x0000000000672000-memory.dmp

Filesize
712KB

Download
memory/3040-289-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/3040-298-0x00000000005C0000-0x0000000000672000-memory.dmp

Filesize
712KB

Download