6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4

Analysis

max time kernel
138s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
Size

625KB
MD5

3b4ba2b962496521ae262e192ce74f0f
SHA1

1ab84958d4664883b70e1e577f296b7afb052d6a
SHA256

6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4
SHA512

00e50a29d2bdbbba5cf26cf9f87a676751096015efe09d32ca0a7ac3231c89827df40819ac5c7eb8992e96a37a6d0dee3eb1bc8928452928bd1398dd2f174a5c
SSDEEP

12288:HJB7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:pBCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2812	alg.exe
2644	aspnet_state.exe
2556	mscorsvw.exe
1888	mscorsvw.exe
1740	mscorsvw.exe
1512	mscorsvw.exe
2208	ehRecvr.exe
2336	ehsched.exe
1836	elevation_service.exe
1048	IEEtwCollector.exe
672	dllhost.exe
1492	maintenanceservice.exe
2248	OSE.EXE
2196	OSPPSVC.EXE
2760	mscorsvw.exe
1064	mscorsvw.exe
1780	mscorsvw.exe
2940	mscorsvw.exe
2340	mscorsvw.exe
2236	mscorsvw.exe
1212	mscorsvw.exe
2096	mscorsvw.exe
2824	mscorsvw.exe
2948	mscorsvw.exe
1316	mscorsvw.exe
896	mscorsvw.exe
2816	mscorsvw.exe
2580	mscorsvw.exe
2536	mscorsvw.exe
1648	mscorsvw.exe
1212	mscorsvw.exe
2268	mscorsvw.exe
632	mscorsvw.exe
1940	mscorsvw.exe
2372	mscorsvw.exe
1376	mscorsvw.exe
1620	mscorsvw.exe
1168	mscorsvw.exe
2080	mscorsvw.exe
524	mscorsvw.exe
2968	mscorsvw.exe
1580	mscorsvw.exe
2676	mscorsvw.exe
832	mscorsvw.exe
2740	mscorsvw.exe
2608	mscorsvw.exe
2132	mscorsvw.exe
1496	mscorsvw.exe
2348	mscorsvw.exe
1452	mscorsvw.exe
1428	mscorsvw.exe
2656	mscorsvw.exe
2488	mscorsvw.exe
2880	mscorsvw.exe
2744	mscorsvw.exe
2452	mscorsvw.exe
2336	mscorsvw.exe
2136	mscorsvw.exe
2508	mscorsvw.exe
2344	mscorsvw.exe
2096	mscorsvw.exe
1784	mscorsvw.exe
1904	mscorsvw.exe

Loads dropped DLL 48 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
832	mscorsvw.exe
832	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
1496	mscorsvw.exe
1496	mscorsvw.exe
1452	mscorsvw.exe
1452	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2880	mscorsvw.exe
2880	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
2344	mscorsvw.exe
2344	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
588	mscorsvw.exe
588	mscorsvw.exe
2488	mscorsvw.exe
2488	mscorsvw.exe
3060	mscorsvw.exe
3060	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
1184	mscorsvw.exe
1184	mscorsvw.exe
916	mscorsvw.exe
916	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f122f984ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23239F3B-3BCD-4D58-9E5D-D5C632F3680B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6393.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7436.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F5F.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP59C4.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4827.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP44BE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4CC9.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52D1.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1884	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2784	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeDebugPrivilege	1884	ehRec.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeDebugPrivilege	2812	alg.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeDebugPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1740	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2760	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 2760	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 2760	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 2760	1740	mscorsvw.exe	44
PID 1740 wrote to memory of 1064	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 1064	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 1064	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 1064	1740	mscorsvw.exe	45
PID 1740 wrote to memory of 1780	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1780	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1780	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 1780	1740	mscorsvw.exe	46
PID 1740 wrote to memory of 2940	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2940	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2940	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2940	1740	mscorsvw.exe	49
PID 1740 wrote to memory of 2340	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 2340	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 2340	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 2340	1740	mscorsvw.exe	50
PID 1740 wrote to memory of 2236	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2236	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2236	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 2236	1740	mscorsvw.exe	51
PID 1740 wrote to memory of 1212	1740	mscorsvw.exe	62
PID 1740 wrote to memory of 1212	1740	mscorsvw.exe	62
PID 1740 wrote to memory of 1212	1740	mscorsvw.exe	62
PID 1740 wrote to memory of 1212	1740	mscorsvw.exe	62
PID 1740 wrote to memory of 2096	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2096	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2096	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2096	1740	mscorsvw.exe	53
PID 1740 wrote to memory of 2824	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2824	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2824	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2824	1740	mscorsvw.exe	54
PID 1740 wrote to memory of 2948	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 2948	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 2948	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 2948	1740	mscorsvw.exe	55
PID 1740 wrote to memory of 1316	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 1316	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 1316	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 1316	1740	mscorsvw.exe	56
PID 1740 wrote to memory of 896	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 896	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 896	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 896	1740	mscorsvw.exe	57
PID 1740 wrote to memory of 2816	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2816	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2816	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2816	1740	mscorsvw.exe	58
PID 1740 wrote to memory of 2580	1740	mscorsvw.exe	59
PID 1740 wrote to memory of 2580	1740	mscorsvw.exe	59
PID 1740 wrote to memory of 2580	1740	mscorsvw.exe	59
PID 1740 wrote to memory of 2580	1740	mscorsvw.exe	59
PID 1740 wrote to memory of 2536	1740	mscorsvw.exe	60
PID 1740 wrote to memory of 2536	1740	mscorsvw.exe	60
PID 1740 wrote to memory of 2536	1740	mscorsvw.exe	60
PID 1740 wrote to memory of 2536	1740	mscorsvw.exe	60
PID 1740 wrote to memory of 1648	1740	mscorsvw.exe	61
PID 1740 wrote to memory of 1648	1740	mscorsvw.exe	61
PID 1740 wrote to memory of 1648	1740	mscorsvw.exe	61
PID 1740 wrote to memory of 1648	1740	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
"C:\Users\Admin\AppData\Local\Temp\6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1e8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 23c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 264 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 240 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 290 -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 240 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a8 -NGENProcess 2b4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1c4 -NGENProcess 2b8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 1f0 -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d4 -NGENProcess 2b8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 294 -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 2d8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e8 -NGENProcess 2d8 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 25c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2fc -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 300 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 308 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d8 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2f0 -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2b8 -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 320 -NGENProcess 2b8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 32c -NGENProcess 2d8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 30c -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 324 -NGENProcess 2d8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2d8 -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 33c -NGENProcess 334 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 324 -NGENProcess 344 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 334 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 334 -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 344 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 328 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 338 -NGENProcess 344 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 344 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 35c -NGENProcess 354 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 344 -NGENProcess 358 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 360 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 35c -NGENProcess 36c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 360 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 370 -NGENProcess 35c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 350 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 36c -NGENProcess 354 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 380 -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 37c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 378 -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 394 -NGENProcess 384 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 394 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 390 -NGENProcess 384 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a4 -NGENProcess 38c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 37c -NGENProcess 354 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 390 -NGENProcess 3ac -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 39c -NGENProcess 354 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b0 -NGENProcess 37c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3ac -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 354 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 37c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b4 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3ac -NGENProcess 3c8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 39c -NGENProcess 3c4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3cc -NGENProcess 3b4 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3c8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c4 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d4 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3d4 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3dc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3cc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3f4 -NGENProcess 3cc -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3c4 -NGENProcess 3d4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3c4 -NGENProcess 3f4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b4 -NGENProcess 408 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e0 -NGENProcess 3f4 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3c8 -NGENProcess 410 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3f4 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 40c -NGENProcess 418 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 414 -NGENProcess 420 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 408 -NGENProcess 3f4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 424 -NGENProcess 3e4 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 408 -NGENProcess 414 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 42c -NGENProcess 430 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 414 -NGENProcess 3cc -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 434 -NGENProcess 408 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 24c -NGENProcess 1c8 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 438 -NGENProcess 414 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 430 -NGENProcess 270 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 24c -NGENProcess 3cc -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 270 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 248 -NGENProcess 24c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 420 -NGENProcess 270 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 428 -NGENProcess 408 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 43c -NGENProcess 248 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 3e4 -NGENProcess 408 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 444 -NGENProcess 420 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 448 -NGENProcess 43c -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 440 -NGENProcess 420 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 3e0 -NGENProcess 454 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 270 -NGENProcess 420 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 458 -NGENProcess 440 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 440 -NGENProcess 3e0 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 460 -NGENProcess 420 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 420 -NGENProcess 458 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 468 -NGENProcess 3e0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 464 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 458 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 3e0 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 478 -NGENProcess 46c -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2080

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2208

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1492

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
f15670f1acfa4644e4ad3b9f39ebe6d8

SHA1
f07d17127becd4a09d2c359f01e4e50db9373759

SHA256
74b4ccd1f93ff44c3ca0f0aad4b7b41b39522b6908e405a8b81241401a460b07

SHA512
af8bcbe0d170921451f730e1a048cd108cd8cdf39d629a41dedf70ec3d0e1db42015cd57719935798932fd8f0ab4acbbed523d17fb67114d0b716a5e8deba937

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
5e4df7cb451153bbdb9cd3d796a85fad

SHA1
f4a7af522d1bc039dad368942439c1bd27171e36

SHA256
60e5b27792e6c81308da8c00bef053f9b9d99a779181c0109df3ed612fa9f66a

SHA512
d8fbe56a9993b2f6186418dad33ed34cc0fbf9f0fdd031fd78099d28eeec8246fd19b9fc5bb4ad105cffa6017b572b153483482b18eb8728a70997db43a7b172

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
0f395625d12611891b2e538bbb9dacb8

SHA1
487e3f02252e26ce5179932f7cd69156aa5913c8

SHA256
a91e11b6493067d18f2e24f67948590637ae97ab80eb00b3173d2be701e981b9

SHA512
0b0f32f0c00d090d13f4acaa0afe7af0a8d426a86985ed4d68d120aa9837952f4c7166fa15e634d21d6cc46d17c2f5dd9653c1c611fb42cbf1601721b6a11945

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
0ecc5fa85265132facf5fa9904a09798

SHA1
383ad26a3667d960323c517751c1722245dea556

SHA256
76d3ef8c5e755db29c069c1bb1b6fd844f64623370d4603126a18813630439ad

SHA512
7c645577c2b8598d7645962b8658fb08b687048e29c0379d707e328a5101efb4a91cba6075ccf43406bda9fd152c0e9e8cb525cb211d0b3996b01561e437bfc8

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
2b8120325c5d0f22861bd39d06ca88ee

SHA1
ddf309c6ab931b85602bdc295bac084b77a78a92

SHA256
9badf1510fe31f767df1b8c47dd0b2e0ba1c3b24b3982952cf0a6f57c79fc98b

SHA512
743ca6fe6b21ebcdae3ec746fc36c05b0a8d09080d9a653975066503cdd2d244d0853434e5ce15c988874218965b3e93b50baef93c3196297afddde1be8a8e5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
89a68f7113932f1055c35873691f61f1

SHA1
79a3415778be5363765c88a36e3fe07065bc9a57

SHA256
fc817737b4b75091bb603c4514b5646004cf31f592ac26f2d9e0a1bf0c1646da

SHA512
822f9038aad7ae73b30ae21b66722e6108a0e30787c37af8cf5506cabb8fea8fe40889dbc434d0916300851de22141d81bedea461bc9fd396ff07d86bc3ef733

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
be6a26557e10a53880d34b765f8a6f13

SHA1
26a1e24a73e9f5782d2455bdc8c3ff452706c3bc

SHA256
bf80a1dfe00f7e59b85e152ad63ade2ad1af5ed84ceb3f50c2b12f88d58ec006

SHA512
f2df0e2e08d1d3cc82bcc69523293ead8b2307396cbf6bb256e1ce5088ec3b9063336e7f9051ba7a404f88e6aa88cacbb0934fcddb336d669a42814f89cf5054

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
05bbedad7855cd0e35b77f77c1ee86c7

SHA1
0d4a9f9cd8d9e7626caf70074e4189f62d21d55b

SHA256
dfa38c753e2ff1427e93d92343a47d10b82561f6cf6435d871a52c5577fc8af7

SHA512
9705bb8fee415141018546f03c74b4dd9bf41db3cd6e84734afe219a39d0073b73b3a9824e911de14dcf4d97493aedace13799475e99922575cf4c98e016c74e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2a3016120cc6d6596d1461e521486046

SHA1
195ac394f0f17b518a8757e6f6de82bf0710495d

SHA256
0d937742ea13607fe749f40a793876813b6006b16cdb8b8ad8e799d9ad0cdfa6

SHA512
20c155a258005faec2fc9f2cfe54ab40961212e3468fca5d0a020b344967f44b6e4a27a1176a14fd2ad986d099234e6874b53f1d28c12256723f8af87d6d0eb5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d735e2f5c4fb62376918ad93f050e27e

SHA1
70ca3ed7e747507030993d47f692240f9082c2d6

SHA256
b3941d7b459e214978158d8227f29be5772a5cc04f765ea99fedf4815a2c5a09

SHA512
eadf3e50f942a7c95e0a312d8630b84929a59718544c8ad384910e2cdc793b9e6f8903a78363a0defff88a6e1310f3e25d600005467dad4a8505aada49d53283

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8f94c1b0cdafe1e97cb57e90d79e35d4

SHA1
c2457746618e8e5ee60a50fd7c91b36dfacad3b0

SHA256
fdd4294aa0087f2dd433a0bf5b382b62b840dc089e1fb443dcd77759ed6e036f

SHA512
1b73041d8cc55128d712d87fe0eecb126e4704a2ea10e4068b42c39203b496f0087116fe1aea174703e92a7af6108de431bcf50e322d6e66cdc82a56a32e5f14

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
1b200de0848cc03af916d58fa2639a54

SHA1
c7bf8b82827fbd498e6f58bc8826b457591f23a0

SHA256
480dbe229b5da0792dddf5b5608416092eebbd0cb5f87615f336fabd4116365f

SHA512
1fecd180203ed3a098bd585ff8e48b259a9b5142f569e2b4686cbcf11957d6c974baf64412489e4a404aafa1331dd825706faf09815c1af6d1509ed1c78cd94f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
14d05573a31d52e06c942896f414bc08

SHA1
11e424368073cc73a4fd073e91c1c48d2cf1b5a3

SHA256
281a9938627eab3e70c10833b2efee6e84fd47a2ad51889deb537178494dccd3

SHA512
b4cec848ac57d151f7814e51e23450d28d2e6bd64f6fbfcbc7f267e94b37ebac2d7ace5aaa58c8ce64b8f87a8b56de06ff9fe45cf1c503aa6528ef9b325e663f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
732b2bd52212eb8dbfdc65cc5da9cd3d

SHA1
a358695f8d602bb1f75273a333d374361685b281

SHA256
ea53a465b93a0353344abd7ea92475d05c70398271080b6b883702d3a83ae939

SHA512
44fc8c852ed224aaeb45d9d7888cbaf24625b2315580c5ebea1cdded8b305dcf2b698eedd0fb263c95e2674446615b36edf6c6e093ecc7c7da618035ed02f2fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
3655cc2db88ee9c046e3f74e6f0a31ea

SHA1
db6b6f65c4e7d9583ab766bd5b877e90d369c0bd

SHA256
2f014be7e2926611e2bdcc3a1acffc389ecff52bf8ecbfc7f22a8b284402c0e5

SHA512
8cfe238a409963478a43af8ca5fab61861df995d00762b2db7a4fd728e73503b00a3813d4f2826c6df69a3d1c4a09a9e554a3ff8b2a715f841cbc2fdc000a5e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
16f01db6734ca58a59314505f70bfc7f

SHA1
e8385e7d583295da921dd45ba16f6dceee920110

SHA256
1402545d15a2e5854c71f840d2ffced5880e578e3e349fb508958e15c308f81c

SHA512
7d495a03a02b48b05e67151d6cdf07ee30b52c7fae5beea277deedee33e272551b0ebdf1dc1c9f1950afdd619802ca881e051f36b814c0b46d79a4d0d65c049b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
95c5f6f3fb658f1b7a8699170373d767

SHA1
98eed889327e2aab57e38ba6ec7343cb1458a569

SHA256
b87aad061111d5e4e893448065e6f991edb4134887c487f53a724716f950610b

SHA512
81b49a27a7d26f57a6e50d503d3dca966bf2e4672530debbca0038a652f74b458e16e3c3c19456b8e80240e7dfb09d48c89a6524e446fc6b8f02aee896dbb4ea

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
61e043620a07d96da384862d0a626464

SHA1
7be88d428b907e6b49c76b34afb2a64789ae86f7

SHA256
0f0218b55064455b2fb25a32cabd347241277fa856f0f0ee000c2c4ebc34683d

SHA512
9ffcf72ee63f5686926fc14188ba35e9a69bb952bd73fbcbd71cbfb5242be7680643ab425ce71f0005c25b4a9719df254f0f29baa8f3e5c09c2b49efde600782

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
209afcdffe50f9e78c1a91de0f05abc6

SHA1
371ee9f7f6228ea0869380911a242a693c3e2e32

SHA256
92e4e9bcbdff2393a785c957e96df74ea6b1c125257f1f7e65030e54db4b68fc

SHA512
7578a165ffa51c7c8c6d79e3619905488c39dc8940b00069b3bd50f2c0f80f53cda50f51cbd3827dae649cb6e830bfb251c0a508e5e81957e1fa114883861334

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\193cd49718c8d93acd4f029b3204474a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
7695f846b2d3e860df5cec9af8007a3e

SHA1
d52ec58ba54b2004d9eeeef698980a2808a38a94

SHA256
09a661e2758f2063cb39b4b907935a0c462206bc05cdc7e280990bcd9b9d4c23

SHA512
bf6173302ce8828e2ca75b79904f2f27b61c0ee59b3907402d8a2902d0e7f2e39d24a10deedf876428f9682c1944b6ba303dc5849317eef365277ad835b54939

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\884924c25961b62702f1d81da343dd33\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
15b07a48eb114eabaa1dd182163677cb

SHA1
e63dfe2ec2bc64b59ddfabcb63449a4bdd43b398

SHA256
b901b194909c163e0772af916851f6636bfa3378114a30fdfeded297765f61aa

SHA512
38618c56a87eafa3b3e89b214d623c981569f0d8647608bb8a32dcb2ac5c89308d6024336c7f41091265d5c52a51d02e7f31a77a38db6b8b1ac4e8c5be9532af

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9d1732227935b60837d388598bd6e8e5\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
bab76344511ea7d91eaf65f53fbde599

SHA1
fe662d13b55fee0e4bca24d7d59060c639b3501b

SHA256
b25bbeec5a31a00839a43f6181558d532bdb19bd6c2152b6e8a5c2101eaed7ad

SHA512
febf8aecb4988fc121f85c8aa43259d70193ee4ef4009a5677b952be1b2b816da36e5c894d8c86866336fcc6132aebdb65902e25915470b67f9d393212385a4e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fb477855a982e1be1dfad44c07d76cf3\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
ac57c95ab2385cd2bedef328a295bc95

SHA1
1e4da0c3185df5ac04aed6910d0a1d936956cf24

SHA256
d3b82a88139aeddbff9cc8a922138522f71f6dbb06585ea26fb7e850d8673753

SHA512
7d09905635b5ff37976c2e1581d3424a28d9f185584845562c15f86da0f25585d88cc94d960c4f2b2bca05e2d5b3466e8191f4cafcf539546cbd0f4bb7e20e2e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
c69cf52428505419f10247f2ffc74825

SHA1
dce9ab4dcfcdd9efcf3f0f113e3747d6b0a288eb

SHA256
55960b1611eaf64486c2a1bc2cfaae6f1629abe8f58f85f3214b2b6e96b9b8f6

SHA512
158a906a4bba31ec6faff6507987e0e0cda21760131c0c8c2855b6a350ff43db4feaf293b64be63cdbafd78955d812879a54bc4353fa97b43334f41758c7880d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
4a9bfda64d667120ba8aaed1e48f1fc4

SHA1
7bf0540a461cd885476f33916581b39e9c752530

SHA256
89ca55d79651d06f3791a15b6cf292751674c3c825dbd6cded93fed8b9fcf055

SHA512
715aaefa9bd0363e405a0685b04d4d709affd5bd90e0c2029c4baa76d5d252f65fcbc370837d6998076a61a2e6ccd42322f9db0b78e5b257c94386f805cfe0d3

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
964999c791235cb90e302c165a804cb4

SHA1
d304ccfbceb5033c7e25c878868037ce631c384d

SHA256
3393a5736b1b2f883b9315e0337908c3a49fecd192e6361cefcc5ea3caffa65e

SHA512
34fff3dd02c3a1455c5654d7b24bbb897f23c48bb1baa1a77775dc3a6918500c076e132931aaed3a12ee3322e6f106bc198f67bf18c93e7cc0f48789996beabd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
dd0bc648e982b9f6374805bc12d31d4c

SHA1
b657c453ef0d9c9f7ec59a310c8f8fda51a62ec3

SHA256
f4b0c9dddacf300113ce362a5ef3f4b2da3fac84bf9485d01846d3019f07c4b1

SHA512
b8f0a0fb5e608904990eaf5009ad9068f618409ea455b37e0ae38b1a832bce0989f5cdda8c55075aed165423bf590f0704136d793d6e0015fa4a16284386b58c

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
041f1ee552635e3b860a12d8970b3ba7

SHA1
0b92daa34e796c07d5ac42eb664146baee201c57

SHA256
7f35dec974c77ed772d061c14544c5920b379a80ef2e92cdc5b624ab0065ee6e

SHA512
30bd802e605f4d4e38634f3bdbfff096d79cc3a9addd3726bd2356d8b8a31cb526303dca8fa47fc79d1f61089147ecaa26233f928b5a44391316089efa6a7ba9

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
ac2f297dc21c1084f9e2048cd1d3fcff

SHA1
ab4f0b50afec539055e6e71ec6dcf572cb8160b0

SHA256
cb29dc7714ea17164f387d80933107ee52470edcadea0b9bf0a57cfe98dd482d

SHA512
4a8a66558d5ebd85ba5364c80c87c61344db3a07b1b6f26308deeb88e9c2972fdea01f6f6a99499e55fc20107adf2c25782bc6307dfedab4715f2dfab3b471d7

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
bb7db6a32a4c6621c79ccdc7baacf7a8

SHA1
3661711e2d1fca08cb6839aff4ea731f400d587d

SHA256
3af3b85684f289c0e44a8102746f37f3c1cf61545ddb3272aed367400c8980a1

SHA512
d44b262700edc17298c0a6c5ffee8c2311f59f0882a471995b80983e9b91f45f74483726d18a9a69152359c1abc522d1141f28df96bfef45edfb0fe2b461519b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
74ecd11ca9d675f09f7cfb6f10558649

SHA1
a9060f6c0e943a0495f05c58fce1518f035f5e8d

SHA256
513102feda27fba45b4f7894fad4093d2433c936fc41955e904239c4ef8876c5

SHA512
283f27c8f8d2b522f6753d4a9771a6997dbd96d7abb83e617a5cbc203e91f4c403285737ea7a73cf946dc871f7da7bc5e9fc7b160d35dc967c7b9779f560b4ef

Download Submit
memory/632-591-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/632-610-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/672-435-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/672-146-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/896-511-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/896-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1048-130-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1048-683-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1048-419-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1064-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1064-376-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1168-665-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1168-653-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1212-454-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1212-441-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1212-574-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1212-585-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-512-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1316-493-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1376-631-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1376-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1492-165-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1492-172-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1512-361-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1512-77-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1512-71-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1512-70-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1620-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-651-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-566-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-561-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-710-0x00000000013E0000-0x0000000001484000-memory.dmp

Filesize
656KB

Download
memory/1740-711-0x0000000001DA0000-0x0000000001F3E000-memory.dmp

Filesize
1.6MB

Download
memory/1740-708-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download
memory/1740-714-0x00000000013E0000-0x0000000001468000-memory.dmp

Filesize
544KB

Download
memory/1740-224-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-707-0x00000000007C0000-0x00000000007DE000-memory.dmp

Filesize
120KB

Download
memory/1740-61-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1740-706-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/1740-56-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1740-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1740-709-0x00000000013E0000-0x000000000146C000-memory.dmp

Filesize
560KB

Download
memory/1740-712-0x00000000013E0000-0x00000000014CC000-memory.dmp

Filesize
944KB

Download
memory/1740-713-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/1780-394-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1780-410-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1836-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1836-406-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1836-118-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1836-124-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1888-44-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1888-65-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1940-609-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1940-614-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2080-677-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2080-666-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2096-467-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2096-463-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-196-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2196-475-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2208-92-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2208-112-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2208-689-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2208-98-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2208-375-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2208-113-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2208-91-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2236-438-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-443-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2248-462-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2248-175-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2268-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2268-590-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-103-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2336-104-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2336-680-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2336-388-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2336-110-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2340-422-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2340-437-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-634-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2536-550-0x0000000003C50000-0x0000000003D0A000-memory.dmp

Filesize
744KB

Download
memory/2536-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2536-562-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-30-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2556-31-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2556-36-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2556-84-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2580-537-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2580-541-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2644-155-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2644-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2760-227-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2760-374-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2784-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2784-8-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2784-90-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2784-6-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2784-1-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2784-142-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2812-20-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2812-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2812-14-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2812-117-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2812-21-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2816-536-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-522-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2824-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2824-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-423-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-407-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-487-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2948-492-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download