29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
Size

1.8MB
MD5

52e5a3045aac43c9b2b57c8baac59fb8
SHA1

9b358f79bb9aa01fc9bc86f66bd2e8e3e527584d
SHA256

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383
SHA512

c21f2c1d5e0f1a69b608040bfc46a6d7473c433e52ec0773415d44491ff52bb1fbeef538ed56ab49a1974d681a1ed8f6789c6a4bb5e7b9eb3774f47c001f1298
SSDEEP

49152:ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+MdFrIe78vH/:uvbjVkjjCAzJETjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEdllhost.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2572	alg.exe
3020	aspnet_state.exe
876	mscorsvw.exe
1380	mscorsvw.exe
2620	mscorsvw.exe
892	mscorsvw.exe
2076	ehRecvr.exe
408	ehsched.exe
112	elevation_service.exe
776	IEEtwCollector.exe
2888	GROOVE.EXE
2576	dllhost.exe
2416	maintenanceservice.exe
1556	OSE.EXE
2736	OSPPSVC.EXE
1476	mscorsvw.exe
884	mscorsvw.exe
640	mscorsvw.exe
2872	mscorsvw.exe
1824	mscorsvw.exe
2696	mscorsvw.exe
1304	mscorsvw.exe
2808	mscorsvw.exe
1696	mscorsvw.exe
2516	mscorsvw.exe
640	mscorsvw.exe
1040	mscorsvw.exe
2708	mscorsvw.exe
1192	mscorsvw.exe
2504	mscorsvw.exe
2804	mscorsvw.exe
2508	mscorsvw.exe
1536	mscorsvw.exe
1696	mscorsvw.exe
1768	mscorsvw.exe
2608	mscorsvw.exe
2684	mscorsvw.exe
1316	mscorsvw.exe
2464	mscorsvw.exe
2256	mscorsvw.exe
2564	msdtc.exe
1496	msiexec.exe
324	perfhost.exe
476	locator.exe
2664	snmptrap.exe
2344	vds.exe
1368	vssvc.exe
2256	wbengine.exe
2812	WmiApSrv.exe
2536	wmpnetwk.exe
1192	SearchIndexer.exe
912	mscorsvw.exe
1324	mscorsvw.exe
1960	mscorsvw.exe
2636	mscorsvw.exe
1824	mscorsvw.exe
1568	mscorsvw.exe
2936	mscorsvw.exe
1116	mscorsvw.exe
2240	mscorsvw.exe
2852	mscorsvw.exe
436	mscorsvw.exe
2140	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
468
468
468
468
468
468
468
1496	msiexec.exe
468
468
468
468
468
760
1824	mscorsvw.exe
1824	mscorsvw.exe
2936	mscorsvw.exe
2936	mscorsvw.exe
2240	mscorsvw.exe
2240	mscorsvw.exe
436	mscorsvw.exe
436	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
2036	mscorsvw.exe
2036	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
704	mscorsvw.exe
704	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
2200	mscorsvw.exe
2200	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
2292	mscorsvw.exe
2292	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
1304	mscorsvw.exe
1304	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

Processes:

aspnet_state.exe29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exeSearchProtocolHost.exealg.exeGROOVE.EXEmsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b382b757ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeaspnet_state.exe29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_fr.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_ru.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_cs.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_am.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_iw.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_ca.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_ro.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_ko.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\GoogleUpdateSetup.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_en-GB.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_ur.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\GoogleUpdate.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_bg.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM898A.tmp\goopdateres_ml.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exedllhost.exe29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6078.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39E5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{89E21444-2821-4773-A0DC-FE5DAC1032E5}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP344A.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41D1.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP63D2.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4911.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2730.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ehRec.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchFilterHost.exewmpnetwk.exemscorsvw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000406f1ea9f098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{C652A238-B494-4584-883A-C53F3BE0D568}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

2892 ehRec.exe
3020 aspnet_state.exe
3020 aspnet_state.exe
3020 aspnet_state.exe
3020 aspnet_state.exe
3020 aspnet_state.exe

pid	process
2892	ehRec.exe
3020	aspnet_state.exe
3020	aspnet_state.exe
3020	aspnet_state.exe
3020	aspnet_state.exe
3020	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1300	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: 33	1064	EhTray.exe
Token: SeIncBasePriorityPrivilege	1064	EhTray.exe
Token: SeDebugPrivilege	2892	ehRec.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: 33	1064	EhTray.exe
Token: SeIncBasePriorityPrivilege	1064	EhTray.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeDebugPrivilege	2572	alg.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	3020	aspnet_state.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1368	vssvc.exe
Token: SeRestorePrivilege	1368	vssvc.exe
Token: SeAuditPrivilege	1368	vssvc.exe
Token: SeBackupPrivilege	2256	wbengine.exe
Token: SeRestorePrivilege	2256	wbengine.exe
Token: SeSecurityPrivilege	2256	wbengine.exe
Token: SeDebugPrivilege	3020	aspnet_state.exe
Token: SeManageVolumePrivilege	1192	SearchIndexer.exe
Token: 33	2536	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2536	wmpnetwk.exe
Token: 33	1192	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1192	SearchIndexer.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	892	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1064 EhTray.exe
1064 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1064 EhTray.exe
1064 EhTray.exe

pid	process
1064	EhTray.exe
1064	EhTray.exe

pid	process
1064	EhTray.exe
1064	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
3056	SearchProtocolHost.exe
3056	SearchProtocolHost.exe
3056	SearchProtocolHost.exe
3056	SearchProtocolHost.exe
3056	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe
2816	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 2620 wrote to memory of 1476	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1476	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1476	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1476	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 884	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 884	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 884	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 884	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2872	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2872	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2872	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2872	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1824	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1824	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1824	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1824	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1304	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1304	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1304	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1304	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2808	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2808	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2808	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2808	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1696	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2516	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2516	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2516	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2516	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 640	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1040	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1040	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1040	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1040	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2708	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2708	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2708	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2708	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2504	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2504	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2504	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2504	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2804	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2804	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2804	2620	mscorsvw.exe	mscorsvw.exe
PID 2620 wrote to memory of 2804	2620	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
"C:\Users\Admin\AppData\Local\Temp\29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 244 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 250 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 260 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ec -NGENProcess 1d8 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 268 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1ec -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 27c -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 240 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 284 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 1d8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 29c -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 1d8 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 244 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 20c -Pipe 1fc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1e4 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 218 -NGENProcess 20c -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1c8 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 20c -NGENProcess 280 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 2a0 -NGENProcess 1d4 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1d4 -NGENProcess 1c8 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 280 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 280 -NGENProcess 2a0 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 1c8 -Pipe 20c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1c8 -NGENProcess 244 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 288 -NGENProcess 2a0 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a0 -NGENProcess 278 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 268 -NGENProcess 244 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 284 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 268 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2bc -NGENProcess 2a0 -Pipe 1c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 284 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c4 -NGENProcess 244 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 244 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2cc -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 284 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ec -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2ec -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 32c -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2fc -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2fc -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2fc -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2fc -Pipe 33c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 120 -NGENProcess 354 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 254 -NGENProcess 360 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 350 -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 368 -NGENProcess 354 -Pipe 11c -Comment "NGen Worker Process"
2⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 360 -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 354 -Pipe 120 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 360 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 360 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 380 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 350 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 354 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 350 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 34c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 354 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 350 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 350 -NGENProcess 394 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 3a0 -NGENProcess 1cc -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 1cc -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 3a8 -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 394 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b0 -NGENProcess 39c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:112

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:776

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2416

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1556

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
- Modifies data under HKEY_USERS
PID:2000

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
db4e9ae1c8d9cf9b2a9b3ca97b94b3f9

SHA1
8da71d66a443548f7cacb2122ab151f203299002

SHA256
27e12334feecdce083b9ba3b542d77461854748cfa615c0ae871eca29cfdaae5

SHA512
0a350e43c16cb4067ba2ec62088482bdeda5b3f0999a1daaf9628e797948c85f55cf641401618188414bb0f3e385161e75b8f64b093ad9397f493060ba42c2a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
1418bbfd430ee9cb97a0fa17c50eb73d

SHA1
eb2a13a30a23d68009fa098ba59c030b1338989d

SHA256
fa2e7e79fb37288072027ae0392760e323c0f01a22850d25394bea8d99818693

SHA512
ad4994a0cb234bac04d428697e94f4cec7ceed0e37bcb0a3e06aec90baf10239fb1302896f42c62288a570295399c841843abc27d1bdc1cbfad3a19127d56e49

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
af415513248749978edc48c27f3a10a9

SHA1
dfbae789887a173fa4daa248cd48fbe15e26b7ef

SHA256
fd96723a81d2b7103a4befc32674ca87c64a08b7059b6b3a33deb42e674be438

SHA512
6dbf627aeb1ce6d730e631b356ef1985f832ba0dc3603ec5dbab72936e456618fad425d04177ae26ac69c264fbbab6baa7089a0895e23e34493b9dbb1ff57e64

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
fa21e5d09c482bc5025260215c9c93ca

SHA1
9bc28bc33f96cd0e405df7b8e62a38ca4b033c69

SHA256
29c02b864d8894c83347560d783aa93007ab43d8be76ed11b8883acdaa28c1d2

SHA512
744846db03125e0925fe8226393d7ed3faac3e10f72b45af9defe53240083ba5f8c47a21807a2788e522c2245847c0d5903ebd42fec3e1a23cd381e83395ddfa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
bd07242ee2adb24d3cc2b0c2f4e0dfa7

SHA1
349210c38a83391ea680c60fa3987a4ecbdaefbd

SHA256
f6f09cb6f62cb00b62dff528d936c05048fc260f36386bcdeb855681a1643eee

SHA512
cc3b8056d83b3e71da1cc99587d40af8dcd5800df5c36eb56e81c71ccd445249952524714d7f6291c8db9ed3c618131c1b60d90d389b9347116325b6fd3ed444

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
d65b88e0d7910eb89b846fc105308915

SHA1
1643ff1d8d8c4c806eb42f757ac174f60851ec1b

SHA256
b5f47b661d8681cfd35a1f417483a42057d61b2ef90d5a9ccb8d901a2032b9aa

SHA512
c27083febfcc8c4e62f97af6b3958c1358c9eb892d998efe900e434ade9e753a9ff61431daec9d1b286a0a93921a0b48706500f8bad018463c44d12bfe7d9307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
9b95ed77e740f0373a5bfd5eb1a8a950

SHA1
646fee9717400918a6052ba37b1d36d36a51de9f

SHA256
6f4faebff6f7d5bc877cddae641a7e8e355fb022e31890fc9e4b7477de59fdf5

SHA512
2ddd9de873eb50561335950671cd94d827ffd603d6a4f51c4efea8f0adb038ae6a20208f430f07f586f5626ec2c3dc27594f891bd6fb61e5bcbcb6ebf3cb9451

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
44d630cc84b6d365e2f99e6fe718b7c1

SHA1
217451227dc6d959f07f187aac6c9d53402ce092

SHA256
60b23f182c8dd11de55f3e2d1e53dc21b2601b7865d3af8bf101e671da2d5b3e

SHA512
2be60453f6737b0c9e37279547046b0befe294447abeb728969adf6159bcc5443499bf602bc56624b41f021d581696533a352f6df949c83c52bf1407f0f6cda6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.6MB

MD5
6b54f1717ac92864ad43a2bfe08e6435

SHA1
5d13ca3c5e0ab5cd3fc9a594c903fbe89eec60c6

SHA256
62b3ed54df39172aa36a85ce3e35dc7d54de0e98bbece942c9501579b2509750

SHA512
a9812426312ca3cb63e6633508778604728b9d1adf49ac5a67052f968120980b0f85b167eb44d90308509acbede99d1a12eeea73fe6fc89247e6a6045ca7a560

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
5476f2331e7dc137f40c63584400c6d2

SHA1
b80ed520b1e6235f9f8d94bdef5a54290d2ca8d5

SHA256
9c73e87d8e15308107e406e1e6e2bc58b20eb3f3a8b776c74a53bc51ae9c56c6

SHA512
ff811643540062d925b90851263856ccb3f47c8814c4aa2e0794046324ff4ae64ac0f4d22eeba10cf239f0a6c486388af44bc0cb5ae1237c8e77c4bc44d2fc64

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
3900fd0708f5fe3e95f102f012834b12

SHA1
9aed823575cbe969f3c78f73fe000be7b401c250

SHA256
d5c20096bc3ea47cbd0234ba365acfe61e1ad64328675aab6b778611953f57de

SHA512
ad3c77636b9df3e7495122cf53526b83788211dbb1b7d8fe0bf052b07c8c6337bc80544ce9a014745b34189839e322ed77338b90ff44c12daaca56a1f01250e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
2e40cc4d32242a9a894748a339069928

SHA1
eacc97532583a683281b9a777ab0530cfe9ec09b

SHA256
0fa038bb217c5d0982770c4efc8d9343a8d8f334b40f4a5abe80f9c63b8a67ed

SHA512
76b60c3b4b67935c634ca3833ac827a39d10564c963af35da3494dcf9318fd950138de5471d90bb26c3e6152af1e0abfe2863beed9ebc19dcff272509b5f1f56

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
21fd11340e895cca92f499b2344ef058

SHA1
9db8ede044919c312d88cee9c3e5839aeb48ccb9

SHA256
7e8c04cc9994178f3169b8edd5428bd858e03391a92d9236adeb3f916a67d2ff

SHA512
fca99c67ea86c770d00f23e7cba91c85899a4807ee2ea3319a1efd848bc6298aae31fcf4985e80fb9b6eee6024389028a50216c34c8eadb9e62c1a63939d4b00

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
59fcfa37592723ed4c32eee339c3a2a9

SHA1
32e337ed7a0dfd88dc617cf3ba8c40f56da4cc21

SHA256
59aa5f9788537ee3a0e7d084eb7a1f405f0bb600b6004d9df7ba8d285fff8415

SHA512
596aec2a0b8bc76fda2dca63a18ee6fcaabff1cdd87c22780079858dddf3c83536456e3ae7f926044d3f75a831f275499f1f4d902186b9982c2bbf89e3167a77

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
1.5MB

MD5
411589fe506ffffb5fb4a9d71fc9bd4a

SHA1
3c08917b890f6e0bc82c1d2cb95c81e0a96d9040

SHA256
1fa9a612e5d67594d6cbee6b8becfe2ff8b4e2698115c5946b7b085ccb99b9d2

SHA512
48ca2aaaa81b30c2b734ad89ae53b5eb4f4ec4908d2d0af56168929e444b08da1483297f0992fe986e8258d29ab232d68fce000894d360142916c1ea0edaa63a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\029734125add7f49bcdadc4735683a01\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
5c72644469bcab84eefca8a394fc5ac7

SHA1
33e058c9329b0ef057f1ec8f279f0dc802778dbc

SHA256
d4fe78e8fd061a083bd9bf19ca462c4250d44fe7d18d4531b47367a82fba5327

SHA512
7faa2e21c6db6dd89920fece794005a29d37857f68fd0bbeeeb743471943e200b0ac4e5764974cd03ee3318bc803f7c8cbb32136b50a45cc8159f925c9adc945

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2f59b9ffd21afbd75e2abb1c7ade26ca\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
3b077d40c22d04f65054ef5bff33ee2e

SHA1
e477cb57a09d462f5695311642d1676edd5be8dc

SHA256
e8a94cc5b58e053484662e8bebcf6ee06bc50ace48a28bae0f907989bd1f1bc1

SHA512
fd4bdb8dcca9500758d42e61cfe0b26fb06723ec14abfbfb68e59e2eaf58f4d1a1b79a3cc060c3b633efa03fc7576bca027554d22ed17d5da9fd5e43780e8dca

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5dc1779af24d89d84fdcb02bcbc2a56c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
0e62f1c04722868f9ed87fbef75bc42f

SHA1
15663d93286cccec929817b5a8395b5a1a68a0c9

SHA256
737a3998b7b72939894d6978a9676d6afe06158ef2adc06352d0541194a22c7f

SHA512
42fb5baf7e210ca981f7d7c346784d1b2fb07892f94bf942461bbd140840ec4db07b90abab0034863045496eef7d034af8b7507babbb472b8d963c0a1b1ce193

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
c56a78c14a22064eb1609053271a52eb

SHA1
f234ff8af92d072e223c88eb309406180063869e

SHA256
1da7333b13c19f0aff095b98780ee9104b1ea248f07649fe605663399482b54e

SHA512
743637f8a89ca657783397334062e54e922da9f620885629501962fbb2fa5b37030de5ae705afe8649609af52a3389f4dd1729a75c6010b2046d13e68eec49fd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.5MB

MD5
565657001d790652c718de9fead4072d

SHA1
0624e811993409d8302c45d055311d8bea15a51f

SHA256
261525be4e851abee5d381ce657695abe1fcd65eb8eb96069067eb137f896c1e

SHA512
458416a43f3a7e14c06770dfcc45fae5406afa2d35a02b51a0bece6e274636604ba01a7beccde454accc90ab66021eb9dace3b7d775366c395bd9f90a8763b60

Download Submit
\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
dd4c828e41fb8ad80bf66cd615185f73

SHA1
320bc0447f245543c38845bc7c769ca69965f342

SHA256
cf793684d0412416789457e89657db2456e1eda9fe39b23e5e33de8d67f07540

SHA512
998df304c8c47452fd4e7e2be0644dc3899e2ac8a091919632be02e3b4fbcfb73b35c84769d25c3741be5b21fe99def76b2cc1b56171b44116b162ff2c8cacab

Download Submit
\Windows\System32\alg.exe
Filesize
1.5MB

MD5
9e7c54a5985dc3cfaf78fd32549d7432

SHA1
849f8a74d4c52b2318f67d18183a832da8189514

SHA256
7d8c384fb6aea689c5e1d4ce81d7cf9c761c6d87fbccb8927aae7063c95eb015

SHA512
0c1617bb6c00482f695b60178d30cd7a1d01a06f5e4a2753dfd3151587fca79cb130fb6863b861b646240309c87e90c598af62f3941c08618addd1da0000acfa

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.6MB

MD5
7e65b18c136a61bb6f8a6479417f92f6

SHA1
3c1046667012bf698276aba4a8632c33c7d32ee6

SHA256
5ac90d818af255218e2c7a160c206e1a19d481aee6fb7fa47e055f3283758ba7

SHA512
148aa847ac2921343a1d033e90f0802939a22bd22e578199813227eaf0636ddf3a71500d89da6bca10808785eb64114e22e954e963bde61a4b4fb0b56728058f

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
e5a0b1725e6e5ca81a6152d3e0f32861

SHA1
0e7763ceda5f66b3bd5d362b7b0cb1a7a0e24ca6

SHA256
233fa93ce87d0726aa6d6a1d93b08fd162098fecd437a067b6c818eb11f189c9

SHA512
6d9f30c825b1c0c09d8555389004335f2209946a968e9b817bbd87c0eba63cd3a073e364ecdb76ff054f6b50001497263e88af606e9c8e46dc7938951de13703

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.6MB

MD5
5a74e2c75aea455d70717d365449b73b

SHA1
91f84bd59cdf7472ee3353a8898c370e7536ac62

SHA256
07fcfef1e9da2d6b084b2e073f9a874d7d524c35241485ecc82250bf262b3e2e

SHA512
0fa3b7b7e7f1a39d47871e2e1776f5edbd74d6881b64540f2fa6a1b49f328039c45c930f202628da973bc3bf6bc0cdf8633ebb822d9bee1de98d2e16213b2ded

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
338c129e7079c460979ec81b870c2e5d

SHA1
df01e414602e31a34aaa1f46f53a6a5c38b7d680

SHA256
0bf250015356670f4783772e326021089e220ae21ec2d9569e2fa2f99ffdb548

SHA512
01bac99bc6c7672215583db0d5d6f9ff2196992ea8902783f63e8176a41bb6a5bc35f2c112666c47bf9448f68d4e9b129a476e0c60e8bcc381e61e243a53cc1e

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.6MB

MD5
2af71ee88463d6a1cca8f39f2869d659

SHA1
18ee975106717fd26ebb0446c89725169bbf08ee

SHA256
8e1d4d0ed6961f3686911422f52b4d8b7587fe39ef95729a2ccbcb25404f8595

SHA512
bfcf25fe88fb68a0f5b938cb12e59334c20ea914481d3f07e0216046502eb89d32bd02bfea1fe2a780fc3208c8e8491228af3d55d549d6fd9b304db20b1edae3

Download Submit
memory/112-213-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/112-510-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/408-458-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/408-201-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/408-840-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/640-465-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/640-660-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/640-509-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/776-843-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/776-226-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/876-142-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/876-107-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/876-114-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/876-106-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/884-447-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/884-470-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/892-167-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/892-161-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/892-170-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1040-649-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1040-677-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1192-705-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1192-693-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1300-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1300-306-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1300-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1300-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1300-169-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-586-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1304-571-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1316-805-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1380-154-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/1380-123-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1380-129-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/1380-130-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/1476-419-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1476-451-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1536-753-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1536-741-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1556-606-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1556-345-0x000000002E000000-0x000000002E19C000-memory.dmp

Filesize
1.6MB

Download
memory/1696-767-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1696-631-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1696-607-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1768-766-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1768-778-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1824-524-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1824-551-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2076-184-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2076-187-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2076-849-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2076-444-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2076-178-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2256-829-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2256-835-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2416-334-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2416-348-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2464-809-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2464-832-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/2504-706-0x0000000003D10000-0x0000000003DCA000-memory.dmp

Filesize
744KB

Download
memory/2504-718-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2504-704-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2508-743-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2508-730-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2516-632-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2516-647-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2564-857-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/2572-58-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2572-186-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2572-50-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2572-56-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2572-57-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2576-319-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2576-570-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/2608-790-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2620-144-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2620-150-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2620-359-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2620-1053-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2620-1054-0x0000000001F70000-0x0000000001F8E000-memory.dmp

Filesize
120KB

Download
memory/2620-1055-0x0000000001F70000-0x0000000001F8A000-memory.dmp

Filesize
104KB

Download
memory/2620-1056-0x0000000001F70000-0x0000000001FFC000-memory.dmp

Filesize
560KB

Download
memory/2620-1057-0x0000000001F70000-0x0000000002014000-memory.dmp

Filesize
656KB

Download
memory/2620-1058-0x0000000001F70000-0x000000000210E000-memory.dmp

Filesize
1.6MB

Download
memory/2620-1059-0x0000000001F70000-0x000000000205C000-memory.dmp

Filesize
944KB

Download
memory/2620-1060-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/2620-1061-0x0000000001F70000-0x0000000001FF8000-memory.dmp

Filesize
544KB

Download
memory/2620-1062-0x0000000001F70000-0x0000000001F94000-memory.dmp

Filesize
144KB

Download
memory/2620-1063-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2620-145-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2684-801-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2684-787-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2696-559-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2696-577-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2708-692-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2708-673-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2736-360-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2736-630-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2804-717-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2804-723-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2808-598-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2808-592-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2872-512-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2872-529-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2888-310-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2888-558-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3020-102-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/3020-101-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/3020-95-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/3020-94-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/3020-225-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download