64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
Size

1.8MB
MD5

1aef79ed818389a5c77332a7ee77cf65
SHA1

9cce17eb2f008ee0c26c78e1548d87525fa4757a
SHA256

64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6
SHA512

58971621c4f7645f70ac2117e9215f56cbe6d2b97b3df9b2275322d275cafbb0b561a99b9be0a3c9c4805cdfaf97fe11967c2f941d3b22bc50c99e7fe2f0c527
SSDEEP

49152:Fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA8hkR0HpUUN5I9+n3Y:FvbjVkjjCAzJuRepUUN5I9+n3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
2700	alg.exe
2584	aspnet_state.exe
2916	mscorsvw.exe
1524	mscorsvw.exe
1560	mscorsvw.exe
288	mscorsvw.exe
2484	ehRecvr.exe
768	ehsched.exe
408	elevation_service.exe
1536	IEEtwCollector.exe
900	GROOVE.EXE
1264	maintenanceservice.exe
1708	msdtc.exe
2648	msiexec.exe
2124	OSE.EXE
3044	OSPPSVC.EXE
2308	perfhost.exe
1456	dllhost.exe
1612	mscorsvw.exe
3032	mscorsvw.exe
2092	mscorsvw.exe
2372	mscorsvw.exe
912	mscorsvw.exe
2744	mscorsvw.exe
2208	mscorsvw.exe
468	mscorsvw.exe
1752	mscorsvw.exe
2252	mscorsvw.exe
2328	mscorsvw.exe
556	mscorsvw.exe
2600	mscorsvw.exe
2508	mscorsvw.exe
2368	mscorsvw.exe
2764	mscorsvw.exe
2128	mscorsvw.exe
1096	mscorsvw.exe
1660	mscorsvw.exe
2936	mscorsvw.exe
1396	mscorsvw.exe
2800	mscorsvw.exe
296	mscorsvw.exe
2028	mscorsvw.exe
2376	mscorsvw.exe
2756	mscorsvw.exe
280	mscorsvw.exe
2100	mscorsvw.exe
1812	mscorsvw.exe
492	mscorsvw.exe
768	mscorsvw.exe
3048	mscorsvw.exe
2492	mscorsvw.exe
2460	mscorsvw.exe
2156	mscorsvw.exe
1512	mscorsvw.exe
2208	mscorsvw.exe
1684	mscorsvw.exe
2000	mscorsvw.exe
740	mscorsvw.exe
2152	mscorsvw.exe
1768	mscorsvw.exe
944	mscorsvw.exe
332	mscorsvw.exe
2772	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
476
476
476
476
476
476
2648	msiexec.exe
476
492	mscorsvw.exe
492	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
1512	mscorsvw.exe
1512	mscorsvw.exe
1684	mscorsvw.exe
1684	mscorsvw.exe
740	mscorsvw.exe
740	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
332	mscorsvw.exe
332	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
1796	mscorsvw.exe
1796	mscorsvw.exe
2548	mscorsvw.exe
2548	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
896	mscorsvw.exe
896	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

Processes:

64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exealg.exeGROOVE.EXEmscorsvw.exemscorsvw.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c2bea8e8c1bd2e0a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\locator.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\system32\locator.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\locator.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

Processes:

64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exealg.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_el.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ja.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\psuser.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_ca.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\GoogleUpdateCore.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_pl.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_nl.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_fa.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM454.tmp\goopdateres_no.dll	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemsdtc.exealg.exe

description	ioc	process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B22.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE3DA.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6A09.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7214.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6816.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E3D.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6624E932-02AA-4F57-8241-5D167DF809E2}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7011.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exeehRec.exemscorsvw.exeehRecvr.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ehRec.exe

pid process

1780 ehRec.exe

pid	process
1780	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2364	64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: 33	1732	EhTray.exe
Token: SeIncBasePriorityPrivilege	1732	EhTray.exe
Token: SeDebugPrivilege	1780	ehRec.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: 33	1732	EhTray.exe
Token: SeIncBasePriorityPrivilege	1732	EhTray.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeDebugPrivilege	2700	alg.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeDebugPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	1560	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1732 EhTray.exe
1732 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1732 EhTray.exe
1732 EhTray.exe

pid	process
1732	EhTray.exe
1732	EhTray.exe

pid	process
1732	EhTray.exe
1732	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 288 wrote to memory of 1612	288	mscorsvw.exe	mscorsvw.exe
PID 288 wrote to memory of 1612	288	mscorsvw.exe	mscorsvw.exe
PID 288 wrote to memory of 1612	288	mscorsvw.exe	mscorsvw.exe
PID 288 wrote to memory of 3032	288	mscorsvw.exe	mscorsvw.exe
PID 288 wrote to memory of 3032	288	mscorsvw.exe	mscorsvw.exe
PID 288 wrote to memory of 3032	288	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2092	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2092	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2092	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2092	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2372	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2372	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2372	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2372	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 912	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 912	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 912	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 912	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2744	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2744	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2744	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2744	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2208	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2208	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2208	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2208	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 468	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 468	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 468	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 468	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 1752	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 1752	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 1752	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 1752	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2252	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2252	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2252	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2252	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2328	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2328	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2328	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2328	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 556	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 556	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 556	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 556	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2600	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2600	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2600	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2600	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2508	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2508	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2508	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2508	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2368	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2368	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2368	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2368	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2764	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2764	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2764	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2764	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2128	1560	mscorsvw.exe	mscorsvw.exe
PID 1560 wrote to memory of 2128	1560	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe
"C:\Users\Admin\AppData\Local\Temp\64c52be4dbad4939c75853fad1379dc162f8c90d6dbad44953e71451a33031a6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 1ec -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 240 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e4 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d0 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 1ec -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e4 -NGENProcess 1ec -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 27c -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1d4 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 1e4 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 25c -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d4 -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 29c -NGENProcess 27c -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 204 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 240 -Pipe 1ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 204 -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 264 -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 240 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 264 -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:2380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c0 -NGENProcess 2e4 -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:1540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d8 -NGENProcess 300 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 2e4 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:1268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e8 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:2532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2e8 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2e4 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2e8 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2e4 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e8 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2e4 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:2140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e8 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e4 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2e8 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e4 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:2400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 348 -NGENProcess 308 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 340 -NGENProcess 358 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 308 -NGENProcess 340 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 36c -NGENProcess 2e4 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 340 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 350 -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 380 -NGENProcess 340 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:1132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 2e4 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 340 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2e4 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 378 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 340 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 2e4 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 3a4 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 2e4 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a8 -NGENProcess 39c -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 2e4 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 2e4 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 39c -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 3c0 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c8 -NGENProcess 2e4 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3c0 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 2e4 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d0 -NGENProcess 2e4 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d8 -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 424 -NGENProcess 428 -Pipe 430 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1028

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2484

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
ef6b55409a1a287f3a05e0575c6f512e

SHA1
94a1200d29ae34fa5aa837eb06e3ceb52fbb2311

SHA256
d1fee0d17a78dfa7f299ab34171aec5524c560b3c9a8ecad76fdcc118f8f0f4e

SHA512
e7300eef29ceddb2fe9642f93cf0ad3c190fe06f7e61b07a6d74c4abf063bab7920e22addc43f8537f93210cd1042b72a5bfc617c3c6542cdfd38770cf638efd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
de189c6c162fe3f9a21ac361deed60eb

SHA1
210402d60b64e8b63e7c7a801c875029ca96ae58

SHA256
528135385410641a979fe5f0f5fe53a6a4f97e35d0870cd47af51630dcc0c651

SHA512
ecf3aa9cff9b7c95c13181b59c4d94a0ee850f5790a48cab0d546118bdca0ac77712ad834d878f113e661b86a491ec84abe2d49bfbd3a9bf8538bd66d07967dc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
b1af88ff1531d971729f4dac4425d5a4

SHA1
21b2b34e7df824f31d690a4e89c97124c8732863

SHA256
7ee232b12b73364429b4519d64a0ff1d8f4ad478150f33ee895994623bb40d6b

SHA512
2e345eab0064d569fc5b319627634639b2aa1b82038c2507bc0fa62e4c82faf427544d7ac4a29d2ad3be18d40d0bde1568b2ec27fa5ab5773429ef57b2ecaee4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
e0e0a99c0708fc73660fcc57f8187ebf

SHA1
e349a75b3f34c7e86c513d3d25096e6cf73c74c4

SHA256
daf42276267da255749d5efb58a44a9b842647f0cea3ba0fc7ab8492a3ad5df1

SHA512
620ce603c3b631564de6e005ba4a3b900e74c78403f57acfa73475b3a0d739bc1ef644e590e20b1a98935caf685c806c264c6fff4ffca1ca7682cf6d8a2a17e4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
b2fdaf19143e64d2c6d076fed2277a0d

SHA1
2f864522e00f13698b877e28c608e73e6f90a7c3

SHA256
1c5fa8c069b5628fa6e49c6e344f5bc47580ba936caecb40714cea693d299fec

SHA512
51a7f21c12315ef102e5834e3875b23ddddc7ea88f445a667c6c30aa2d35883b4661f1646123bb9b1a31de6774dc47b3f0217bd25fda288d8fe0477af7328c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
1348b231b068b93fc1baa6377a5cf35e

SHA1
f50df6fb066b7cd5576183989cf77f4c6a11a70c

SHA256
0a4d2b9b670194b02329cbc0cdf30e176bd14318eeffd0a8203cc3618300e368

SHA512
f4e3362dd1ead2811902930e1af315a34363c215fd5fe5e5be2c63dcf06d6e0f7c00395daca9b7dad7d230d3f013e218e2dccb64e4955b562b3230ee577ae41d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
c21adf66c7358294be7806f9e8241074

SHA1
97c1a84f7620a33f232d32adaed1bee2c4e798e1

SHA256
6f30767c7375fcc95171f2b13a073eeca90d8623dcfb4fe90e7f7a8f6fef5c2c

SHA512
d699071a41c38474380d91a98eb3f2b147bca9093249359da4dcdf296d90dbc2f876183bfb5cd54cfd2d0a30aca5450ef7b67c7ce0a092cdba514e179aac8ee8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
3977dbd58e46c8e80526f4618f20f314

SHA1
56e61ce182d545d7b3ce90212e6d8f94d21e5c92

SHA256
ec7e23e041e855f06ce507cce944ae9376cb19a7d3ffc3f907d4c8a60872ab6b

SHA512
7b00019592c62923d75b8413d9034ac56c84c13d42d434771b79ca9c1bc37de71f862f0d95aad38c5b71125fc1a371c8cd433dcfa8077e98ab3a6402f191305c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
db4fde598cf0047815f6b5dfc745e0a7

SHA1
0d09f46336365f45121aae126034977e623cf593

SHA256
bfbd2910929d08862792392694f7d3991f99400d5f6a58336bf32c9282354ee7

SHA512
e559ea2e6c9059f83965f250119912df83424eb8a661b44012a109d1e91647d4c63f014868f4f166132e4739c470a4155b43e97d13684a613aa850e3afe2855a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
54bddae96d55e986d3726564ce19cee1

SHA1
6c3b0fd9fa3339d46f0265c1d2b8e1478586b231

SHA256
dc3c9b3018b22158f37ba2fd14409fa2ca36dac93af52430323800c471a04f7c

SHA512
971822ddfcc7db2e01b5a9f5bef0e49fad897fd2161cb56eeb320343d6bb3f4b0167ceb889aef609c356f6f7453b613ba3f24ea073ab0ee56224652e1814ca13

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
cdb6e05c0798ef73da9abd81f5b7487f

SHA1
8414809dfaedd7e41575ac39e8cfbced630b9c6f

SHA256
9ff02b486a976cd93ce114f6aba7cd3cbd4500e43cfc9dede77957c54141fc07

SHA512
e4714c47692584a3d43514d6fe7886a0df870ee90230ed4ae7cca823d4b25ac5129d38735b1c6195353c40919018575494b79f3411e8b80ef548f3fa724d5dd9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
a5943b981bd6a8add4f10afec0433e50

SHA1
07de21264541b0d204e384dd5274c1b57d14dc60

SHA256
184a08dd77a56e28200118e02cf7f21f7402e5b2a3bf1de53911501ade6684e1

SHA512
09e577c95ef0150fe7a78931279e60a4e9bf6bccc2d27e559125b4e9687b722f51d1929f04af9d74aacc3d801ea18cd8df911d0969771cb6ae9fe7ee25aa8858

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
fcb213b7cdd090a63ed0fd0537ca2dde

SHA1
419cab471b51321924ef91ea6534cedcd2bf380a

SHA256
ced6c7f81a6fc5c051b77ad5d050cbce366ce1f89521d0ff58aa53a6f83c9878

SHA512
611b12cf3da2451a76d34a93d82a357d9a42606b77b0021915f28bced8d30b530bbd6e295a663b512ff4aee8b6122bd12fcc3423c6644bd51d282718a2d8359c

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
1.2MB

MD5
eab883c4a99e21c42f9e2a5316024742

SHA1
9a3ef69217d819b80f805737af5a1d4091b2ee29

SHA256
3ba7b27c7bf7b7f5c0913bb8df02f417c0540a491cb1b85ff63cabc22f1dcdb1

SHA512
e9d1f401ddb350cbbbf8b94f1588577973454fff7c00fc5a7a665886c1e69f90937470706e56f193715336b0ef608b621ce23ece5dfe1ad948b8342c013ff272

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
1.3MB

MD5
f187b20eb1e4063a0fac72f865d12660

SHA1
bba226dca9f10dced2deee827b8fe57ba54a4488

SHA256
5ba1de966f2bda24fcc24fbffdcac39f2e5f43858bebbcc99d100373fefdb1ea

SHA512
f488dbcbfa500a48bf16a26995c61782d725e0c90e6b0aa34ec72068104a14ee506bd3c3778f91f02b6084302050329fb637beb70cb89b7faf18e0869221b526

Download Submit
C:\Windows\Temp\CabE39B.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB2A.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\301c284318f3fa22c76f591267a2371c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
e5880e282885ec690f9857654d35fd5d

SHA1
4b3ff0908e31cc1c8c303534670ab88909970fa3

SHA256
b620757497d47a84d26aaebc17f23e9bb2fa32d415f243d722e32366978cf8fc

SHA512
9a8ab754145da751dd1c1cc2fe8cf6a8cc9fa9eda51292169f0cb1bf1eb7b1edd20f4f5b3dcfe40a856d8a70d622c3a1a2e400b8074d4f95834dfbc90f686e25

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3b261fbe78bf80dacb88c05102bfe664\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
450ae06441b3562231ba6a6177541f1c

SHA1
5d38c606889fa5aeda8eda4af629f56550494499

SHA256
1f0888fc17ed8ca2726239f2c221f82ae3d4839870da07052adfa55e993cc30a

SHA512
df25c75d5ddac09e2d6fb28538eb4dea024a4a13a9d96bf098f6bee57910693bfc31fc02dc4aa073969371199fd9990aff3d6bcc36a218969371bc20da0f6278

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f8f7cb1380684d175d41450c98b26674\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
d5a222a0f82ce23feeaf3c530f5b7440

SHA1
edf8f83be8e7d97011f030fad982ac9824dfe19d

SHA256
9d4e3f50a35ee645664b01cc009b1fdef0359701615d3457ab10a4e726b56a1f

SHA512
f6bbff03c56d58bee299f6f2d8efc10733debae78237940ba716d496192cdf9ae6f16e59e5a73888750a2a8070785cd6bf6003ba74303d0ce4a5a7da21d25f39

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fd0f9e587d80c2041a6e3970ad7df6d4\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
628161b3ee2d5e8e16949c1ab8ba8c17

SHA1
367839e4e28b828b59babbb628e82ef752775199

SHA256
6bfe7683a1f58477cf131614f5936cfa4be80effcb7342d37b2305e9c85bc91f

SHA512
7f91b2bf2be23a094428cf363d923b23bcdc8af5e796014ae7328d1ef3f0b15f2d1db1ee31c3d8809415e677dffb44ebf1902a09fe924453f815a3f66edcb4ee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
5778d414b1478c18b27cbb5206210256

SHA1
a038100919c0e6a598232244f2050dd03eb23fcf

SHA256
b808aa8235759fa618c6991799370dd20f405f1fc5e536068313f8d44291e51a

SHA512
63986ce9acbac9fc0c5b61f3be3f56999a1895a101c88802cc1ea12003cf78590ff5da5daf722db8ba4c721f78b4d7dda99fe3b6cf6dd8eff9f4a7c234711932

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
bb6351637da2454fbc3c19bcd1cca5d2

SHA1
aaa595c52f6aca8185735ef89b36f8ac01c8cc21

SHA256
448b3c2391017f0b61b8ddf7c78e8e78f66b846e271886f9ea80526d3772edbc

SHA512
3490872bb95bf6ba5ee0bd9a0b23a63a81c9acc8cd926a75a6781175e700c60e107048199c026373a10369b9e700b641fd1df0483666b07acde549111ed1c5c8

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
7ec0997a6a87a6107c931e1a04d846a1

SHA1
93fbdd32f043e992bdc13e11249a6183648239b0

SHA256
95aa1b4573c06839d710fd0fb054b0f6d161b99bd8fef9b0d8e12c9c79b9af25

SHA512
b99760d01d691ee6b0270b0afafd09a9d3ca8d865bfe23acc7654418dc1bfee58bdb6475b05cea013739f446c7100d02bef46fff5e4ed9a7bfe856484e940dfb

Download Submit
C:\Windows\system32\locator.exe
Filesize
1.2MB

MD5
e39e770e93ecb3fb6d259d766f36543d

SHA1
40a98737430d41430c02e6bb6e949feed169c123

SHA256
9c3de97ebb8b1f3f81fb2eeaa65d2b9693cca619ccde5c3a88963da409789759

SHA512
d515861be5d0ac8359fcbc075ac0ede46fb58e57573cf7775be6a57023fddbb151637013eb0b482e0ead26b3d24f1cede033a9ece5b3642e97575bb8b7dfa850

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.3MB

MD5
53ab8c379f4c0b6839497e30af2a1986

SHA1
bf99ee22e43a54ccd07884aeaf615a44f6ca2d72

SHA256
0bddb27736325b93fd15df1f1b4eff2fec56094c3cc3f75e3223a9b1a8da4d70

SHA512
1ae3ca01bb8833f9a05393a257b0d2cd6a79f155c7c676a2c3595a076f3a67f32c4cfcbc3a1192346d7502bc4517e264a13175563881dbd211f763ac96b12e56

Download Submit
\Windows\System32\alg.exe
Filesize
1.3MB

MD5
8f0c70f05def838db76d1613cc2e4093

SHA1
4690e128340030cbc1bb5980442142fa2329cffc

SHA256
0d654e75d352bf039f2f6d42a8ad0289b9503906fd10c031d3aec2b1a0ab6ec1

SHA512
f92b9580c7a392ecdaf2d8d0abcba30398f1e9fd643a92f5c8466f17760a65ee5f013179c4b4f47fcac6c99f68a90426198c70aac9610ac709492c78d5c1c10f

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
80876659142eeeff64a74bcc3fe4112f

SHA1
7fd06a941ff36e0ac8c24890b4f17a196e18d653

SHA256
718a26f0d2f71dec1740772194288d00ba4a06af5a6a6b5b04f24fb34bb75a3e

SHA512
d9bfc183893173fe6c4cc382389d4bfb58b0782b1439fa9d88a34038535397f9e7d16b8b0853075d05973e64102c29b0d3938402cce2f50f05f1c22fb6a1d7c6

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.3MB

MD5
d0ba24bd378be86dbd291768eb7b6a08

SHA1
9197ff75c9a8dbbe5085b62f5ef6f2f99d2418c7

SHA256
fec1d27292145678763b837186960fcd9be8a42a597099fe1f0f2505d950b964

SHA512
12a202d7e1aeb1465a8208c0fc30f0da6ce3b159c231bcf338f25c8440c38bee0c4d1b8d7c4b8ae31d2f71080cd52d2fdb31e140e638218057e1b190f160d3b2

Download Submit
memory/280-902-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/280-905-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/288-137-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/288-144-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/288-254-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/288-138-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/296-839-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/296-835-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/408-186-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/408-294-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/408-192-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/408-193-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/468-657-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/468-629-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/556-706-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/556-697-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/768-180-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/768-181-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/768-281-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/768-867-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/768-174-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/900-218-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/900-441-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/912-569-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/912-592-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1096-787-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1264-228-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1264-247-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1396-815-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1456-380-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1456-667-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1524-113-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/1524-168-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/1536-870-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1536-199-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1536-381-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1560-122-0x0000000000560000-0x00000000005C6000-memory.dmp

Filesize
408KB

Download
memory/1560-251-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1560-121-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1560-127-0x0000000000560000-0x00000000005C6000-memory.dmp

Filesize
408KB

Download
memory/1612-465-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1612-445-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1660-800-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1708-536-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1708-235-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1752-652-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1752-662-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1812-925-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2028-845-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2028-851-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2092-523-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2092-541-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2100-920-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2124-276-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/2128-767-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2128-764-0x0000000003DD0000-0x0000000003E8A000-memory.dmp

Filesize
744KB

Download
memory/2208-607-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2208-632-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2252-669-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2252-690-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2308-302-0x0000000001000000-0x0000000001142000-memory.dmp

Filesize
1.3MB

Download
memory/2308-651-0x0000000001000000-0x0000000001142000-memory.dmp

Filesize
1.3MB

Download
memory/2328-702-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2328-687-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2364-8-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2364-1-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2364-376-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2364-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2364-171-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2368-738-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2368-744-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2372-570-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2376-862-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2376-859-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2484-173-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2484-164-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2484-158-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2484-157-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2484-172-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2484-875-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2484-266-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2508-725-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-732-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2584-210-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2584-82-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2600-728-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2600-712-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2648-252-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2648-263-0x0000000000610000-0x000000000076E000-memory.dmp

Filesize
1.4MB

Download
memory/2648-561-0x0000000100000000-0x000000010015E000-memory.dmp

Filesize
1.4MB

Download
memory/2648-583-0x0000000000610000-0x000000000076E000-memory.dmp

Filesize
1.4MB

Download
memory/2700-198-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2700-13-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2700-21-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2700-22-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2744-591-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2744-606-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2756-901-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2764-756-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2800-821-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2800-827-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2916-99-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2916-151-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2916-106-0x0000000000270000-0x00000000002D6000-memory.dmp

Filesize
408KB

Download
memory/2916-98-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2936-798-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2936-804-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3032-460-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3032-511-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3044-290-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3044-626-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download