a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
Size

1.8MB
MD5

8608a755da80d3364f675aa40ba4a562
SHA1

838b79e8ef2703db1fc7ee424655c2b955cfda53
SHA256

a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182
SHA512

5f34d69b1b0fea97d410c2352a33df8d2949047a6c55ee463ff122dd18aa0d0130213bb1c2df3a2f37b9f3a76aaf9ea2f35b017499a2a022f16b048d1f48385e
SSDEEP

49152:ex5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+Dmg27RnWGj:evbjVkjjCAzJrD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
2836	alg.exe
2636	aspnet_state.exe
2344	mscorsvw.exe
2004	mscorsvw.exe
2732	mscorsvw.exe
1688	mscorsvw.exe
2852	ehRecvr.exe
2144	ehsched.exe
828	elevation_service.exe
280	IEEtwCollector.exe
568	GROOVE.EXE
2932	maintenanceservice.exe
1664	msdtc.exe
2620	msiexec.exe
2740	OSE.EXE
340	OSPPSVC.EXE
2728	perfhost.exe
1656	locator.exe
2972	snmptrap.exe
2744	vds.exe
268	dllhost.exe
2692	mscorsvw.exe
2616	mscorsvw.exe
1880	mscorsvw.exe
2656	mscorsvw.exe
2536	mscorsvw.exe
2700	mscorsvw.exe
664	mscorsvw.exe
2240	mscorsvw.exe
2308	mscorsvw.exe
2984	mscorsvw.exe
2064	mscorsvw.exe
1148	mscorsvw.exe
2848	mscorsvw.exe
1764	mscorsvw.exe
2616	mscorsvw.exe
2788	mscorsvw.exe
2552	mscorsvw.exe
320	mscorsvw.exe
2256	mscorsvw.exe
316	mscorsvw.exe
2208	mscorsvw.exe
1004	mscorsvw.exe
3064	mscorsvw.exe
2576	mscorsvw.exe
2884	mscorsvw.exe
2908	mscorsvw.exe
664	mscorsvw.exe
1280	mscorsvw.exe
2644	mscorsvw.exe
1484	mscorsvw.exe
1872	mscorsvw.exe
2064	mscorsvw.exe
2196	mscorsvw.exe
852	mscorsvw.exe
2964	mscorsvw.exe
1692	mscorsvw.exe
1304	mscorsvw.exe
1368	mscorsvw.exe
1704	mscorsvw.exe
1696	mscorsvw.exe
2416	mscorsvw.exe
2952	mscorsvw.exe

Loads dropped DLL 53 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
476
476
476
476
476
476
476
2620	msiexec.exe
476
476
476
1484	mscorsvw.exe
1484	mscorsvw.exe
2064	mscorsvw.exe
2064	mscorsvw.exe
852	mscorsvw.exe
852	mscorsvw.exe
1692	mscorsvw.exe
1692	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
3012	mscorsvw.exe
3012	mscorsvw.exe
1416	mscorsvw.exe
1416	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
320	mscorsvw.exe
320	mscorsvw.exe
1508	mscorsvw.exe
1508	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
1556	mscorsvw.exe
1556	mscorsvw.exe
1444	mscorsvw.exe
1444	mscorsvw.exe
2696	mscorsvw.exe
2696	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 19 IoCs

Processes:

a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exemscorsvw.exemsdtc.exealg.exemscorsvw.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\locator.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\System32\vds.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\748b5e48c1bd2e0a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

mscorsvw.exealg.exemscorsvw.exea4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMED0.tmp\goopdateres_ko.dll	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMED0.tmp\goopdateres_en.dll	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMED0.tmp\goopdateres_bg.dll	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUMED0.tmp\goopdateres_gu.dll	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exea4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6C1B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7233.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA94A.tmp\ehiActivScp.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7520.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP732D.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{40296AF7-C097-4144-94C6-B36E44BADB93}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6F95.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7723.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP75DB.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP785B.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB4ED.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehRec.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ehRec.exe

pid process

1800 ehRec.exe

pid	process
1800	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2440	a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: 33	2296	EhTray.exe
Token: SeIncBasePriorityPrivilege	2296	EhTray.exe
Token: SeDebugPrivilege	1800	ehRec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: 33	2296	EhTray.exe
Token: SeIncBasePriorityPrivilege	2296	EhTray.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeDebugPrivilege	2836	alg.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeDebugPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	1688	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2296 EhTray.exe
2296 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2296 EhTray.exe
2296 EhTray.exe

pid	process
2296	EhTray.exe
2296	EhTray.exe

pid	process
2296	EhTray.exe
2296	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 1688 wrote to memory of 2692	1688	mscorsvw.exe	mscorsvw.exe
PID 1688 wrote to memory of 2692	1688	mscorsvw.exe	mscorsvw.exe
PID 1688 wrote to memory of 2692	1688	mscorsvw.exe	mscorsvw.exe
PID 1688 wrote to memory of 2616	1688	mscorsvw.exe	mscorsvw.exe
PID 1688 wrote to memory of 2616	1688	mscorsvw.exe	mscorsvw.exe
PID 1688 wrote to memory of 2616	1688	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1880	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1880	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1880	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1880	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2656	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2656	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2656	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2656	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2536	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2536	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2536	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2536	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2700	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2700	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2700	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2700	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 664	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 664	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 664	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 664	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2240	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2240	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2240	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2240	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2308	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2308	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2308	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2308	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2984	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2984	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2984	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2984	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2064	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2064	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2064	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2064	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1148	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1148	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1148	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1148	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2848	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2848	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2848	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2848	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1764	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1764	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1764	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 1764	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2616	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2616	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2616	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2616	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2788	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2788	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2788	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2788	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2552	2732	mscorsvw.exe	mscorsvw.exe
PID 2732 wrote to memory of 2552	2732	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe
"C:\Users\Admin\AppData\Local\Temp\a4376706a74b6ed61b14c3dbc4b50b8f65736c3d76481b586b33f80ec809b182.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1dc -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 240 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 1dc -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1dc -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 270 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 1dc -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 1dc -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 288 -NGENProcess 27c -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 1dc -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 1dc -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 204 -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d8 -Pipe 1ac -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 1d8 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 248 -Pipe 204 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 248 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 280 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 1e0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 1e0 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1e0 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:2896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1d8 -NGENProcess 290 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 290 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a0 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 290 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 248 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1d8 -NGENProcess 2d0 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2d0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:2128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 1d8 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e8 -NGENProcess 1d8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c4 -NGENProcess 1d8 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b8 -NGENProcess 2f4 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f0 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
PID:576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 30c -NGENProcess 248 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:1644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 248 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:1784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 318 -NGENProcess 328 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 248 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e4 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 334 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 248 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:1724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 248 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:2316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 32c -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 334 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 248 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 32c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:2160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:1840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 34c -NGENProcess 248 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:1308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 344 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 364 -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 318 -NGENProcess 34c -Pipe 248 -Comment "NGen Worker Process"
2⤵
PID:320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 36c -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 370 -NGENProcess 34c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 378 -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 368 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 34c -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 35c -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 35c -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 398 -NGENProcess 368 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 37c -NGENProcess 32c -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 39c -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 32c -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 388 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 368 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 32c -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 368 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 32c -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 388 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 368 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 32c -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:2868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 388 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 368 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 32c -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 388 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 368 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 32c -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3cc -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 41c -NGENProcess 420 -Pipe 428 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:692

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2852

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:828

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:280

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:568

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2740

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
d000e0e9f43eba8df766216588384fc6

SHA1
5d60ff55d4576bdec2a003738b7db84a00ab8541

SHA256
ec545ba65ad4a06eff970cb2600fc4f64a90f22e75623bd32d2a075b5376c1ec

SHA512
9fc9b2df0b6ed9b4ad617211ffe8f8ef1765ac119227819ee7f17c62979dbaa5b69be97d68a70bfc7e9f55c2dc2e2ff411e74679515383e74ed133dd08dbf53f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
e9f8cbc319b4d50708262988f488b70d

SHA1
32cc2faf35f969ed9d37115f6a89cbd1fa08d5c4

SHA256
2488ad1a3bea21f03a51acf2e9e7352f733a9dbb0224a56c706ee8cc193f4da1

SHA512
49481186315ee6a59e99e3d5f9f4beaaf25b4edefcd6c58fac99c055f89276d5010b85e2d8091bdde96ac50940c7ff9b56ae502c013b4acf08954e858ee89886

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
b997cd96734223720f2066f8be807bb4

SHA1
0c05a0eb87e5c4edb0df3521d8edf5d858ac9ebe

SHA256
d0cfc0316328277cc7efe236eeb0fb6bf029ebb4900e0d4e583124da96937e5d

SHA512
10e7a730d70a2656b00da67d0f3bfc4f9b181b7b002b59945a8e76a079ed8014c87ac2b6e09ddc5f8c5a16eb7c616308422637de93d57d071bd3aef623e1f2fe

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
2b1c0f59949d3323ca3fbb1fa28fcf80

SHA1
1e1efcf3764659fb53bb797214a4b98cb236fba2

SHA256
3a9ffe14c66dc92c2dff4c2fcf62aa081a5a2fb2ec01f9707d712c7d96f35ea4

SHA512
217205cb4319b1860dd57f23d9951f31eef32668a978ead6afb869aa166039cf0455c53f227daf3c30e3e85ab3c0699fc71511c22c576a1c838860ee419337e2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
2e1a7cb64aeee5370cef9049f8855e69

SHA1
4d28834de175500531526b93bc7ee6895c9ccde9

SHA256
18d63231f2a1d2dc85ddefd3ba56a7c5c3fd4fd2d54cfd6f58c06006beb6bba9

SHA512
dc24fee4e6010567d1407413ed5b27ed8ff04bb4b595538bcadb09c46c608a312b7c450f70085a49564f38ece47fbc0a71e9ea589e590c0cc134934aac7cab12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
e93001b715f1148727092f981b9ee7e1

SHA1
2bf48dad00b972246494b773e56e24e71daadc72

SHA256
832a1282917afa85546267b13c16a2eb35f84ab247bee4f3a248f071ba9fbb51

SHA512
2bc9f1f28b9c7789ca9f2d78cc37de4a6eed5d8f5e2861c1c2fc9b9939ddbcc54a3d7f12681f1c20712993336688ba2223773bf3bec21a34e6817b9dc9f96a1b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
325b42b46439bebdd1c71d39939b644e

SHA1
fe182b6dd265cd08e650697b8407ecb345283d32

SHA256
d71e81627978889ad519d7c277c6f50db9a304f304ad2abf64370312d6ac344b

SHA512
de64cc7adaaa26c94a76ad8440af593408e633f5294125e6f367de1dba036c4f6e2e071818977f9a2b61d80136985e0b0174aac849c2dde4f2920b8f1c302ff8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
83df1c8cf44020b162759cb59bb1cb8b

SHA1
c97ade5d12f07f0da56131dd5dbed6222d1f5cf1

SHA256
cf17f809c05cbcb0ea7314769c7a447a0df9bd4e7d4e07e768b020e64d81a197

SHA512
d982d5c9a7091df47da3ce707d5523dcc514107c49c39a57c90e13431e71169d56137e2f8c21e53766eb84140654aa24e6440a9714accc8c23935066f5707cf0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
e09cb0cf6a10715d757f6263e353e4ba

SHA1
c741b76644f8f5a3b67b655db7f4dbf3af119287

SHA256
0ee7e428fe608841f8f06e2ca11ca348711fb946ce515158b6fa87194005e75e

SHA512
a106162786ee202949cd98fe1de9674437ebe316606ec92265a9b98bebfd376e81f10baf837eff782b4f0782024be793efe7ff074bb993df1b8096239bc068c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
0082c6077b4b54564f7c6a50af282ce5

SHA1
9526ffaeb92585f087ef31c009d71fc246892d0a

SHA256
de3ee19543fa07de4bf8a86ffa5813839f6f3b9b7f7324875ede5170e9fdf45e

SHA512
ad59d584913938206fc218e919256fbeae5489c8e8a1ef0cf61ac8e14f53378a3a7056972fa86dfc1f8549d471748080f3915c8992c96617171b5eee0ad28e30

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
c718bb4cf37375e41d9b9e6aedd24f19

SHA1
fafc669e55093200fba4b271fc78403a57e87221

SHA256
947a101b1fa22302be472d7414fa8e7cb8cac61c7cd088f47f16ed1e85adeef9

SHA512
a7b302fd46fcd675a19f54a7cd626dde296decd36decf47d7cab625b9a29c96bb156a83285c9d3b81322711822c6db59a3cc39f3813092b9083448b52c54a6e6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
587KB

MD5
f141ad4d547e33f46d0597fc31d685d0

SHA1
f1464d982fb77098b8bdb237887e115256707e5d

SHA256
77b16a3f8dd0e6f035388cb85fefbf0f4b21f6623c4468581bea4b48e087c52f

SHA512
fa67e3e83dd298f5843ea7b2773030233c64643f298e973187a89b0966efcffa2fd3d69cce475ecbec6ac696bc4baade78d4427d3654c0c308ee3f0d2f9f8a41

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
577KB

MD5
4798cfb899f966b866439fb1262ce09b

SHA1
86fe86dc2126ee14bb4648abbfe430d0568c109e

SHA256
0082265ebeb583558278e75345bbecff45c84446a5771829e3071ebe0c069b85

SHA512
a132bc8e41009d81bbc154b6fadc94a9a057c5ff379c309bc297d98ecba3efc0c421865246c7e35f10e81bafc2af92597f5052ab84197de9241449ce27ff1f3b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
705KB

MD5
dc675f4e076f1e4db74732b66e7c5ee2

SHA1
d6f0a61a51d91fe0f4ebba7d90a664d8b8ccce5a

SHA256
b5342d3e9d0740334774c2585bd73044ed2f1e1c1b86fbf92079ee56722e98eb

SHA512
40d3b5c42bb758a15a71d4f7e9d4f2754b2d0900f5ad45095cb812c35a3e64e3e667fa0ed8465d16cfa52f4abf1c0326cf4d45ccf39340ef3dd9c7e0a5b63096

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.1MB

MD5
0f261d6dbb2d6d396617cb5a385fccdf

SHA1
3f72c8024c853e2529a36ba9a97d8bb1fbd4d683

SHA256
e06ce67ba28a605880c8229b1ee3f6d296c1a922a8ef49dad4a736d02955d428

SHA512
c12d4a2dc32ea45a8547397565e365ef86e2566cde67f97e9459581bc8501d51be6d7463b16673542fcd3b883e6caded24e334acd223151341fe34a470537b16

Download Submit
C:\Windows\Temp\CabEADC.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar123B.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\03b7af2f3ab02c958c08fa685e639110\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
cbeccc4f9bff17a564d702e1d951258a

SHA1
ccc4643846bd851cb81ef209cbcaf315943f8cb4

SHA256
be4616488ddef989da68623e45c7510bac2842a7b5c42eb7717c4878cc5910a7

SHA512
7aec6e6674aef538d8020c7490ab3f70ed3f18eaa583548008fbb9e403a7ab077a625bfa5e3b5570a51f53e6dfab378324e0c16dd3a6b885de16048657d40a09

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6f75191bbad3ceef162ab3eeb9350e30\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
1c1cbde275a8ade0efbda1c446515525

SHA1
ff5b027c6275f3e1bc61c000cb91f478520476fc

SHA256
d1c90c35043829e55fecdf1a1f7c1d9f6308da04b95809808c3770784ff5d501

SHA512
10013362a034d5c8744786a413d282c72c41595827c3ed111f74e830ff8da7832e6b98c29268eb0d62464db961045495b703be88456538e77a9497691c665161

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7e6517e2f8ae0b587be30983286830df\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
51a5216369d72371c42962a52f53ac83

SHA1
6ef8126b4fe85dcbc78ec62d3a12673ac4d97bfc

SHA256
7f41fc43e0ec98fe2f8a2aa726114b40b074b1c918fb96dc56c5f44fd4eed09d

SHA512
ffc5881d9f2cf517a7f91985f731a92e98458b28dd91f423909a9066ff1d85827734c453acc08163f9672b4685c46090c7dde50d3d33db92245ad8631aeb1f92

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9a45676b1771806a84f2aaf57d1748da\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
0a4f10f1edf854ec953b5db217894531

SHA1
5cb5d438f8b0a0478bf81b709342ea9e8bc9cb8e

SHA256
15fe58a558faa0792eb0b869ba8e2e196604f1ac6d01935f0b3c28bb2b45c579

SHA512
ab30784e3c5f35b7dcecc11e9ba53bf397989d040bc7a3a5f252bf2bcf08dc52e36dfb155541d7fb7e2641adf5c0f8722c6b7ccfb7f55d0235ba224af1df3265

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
fab453e2e43009c92a1e444ba8b10d26

SHA1
ba198b0e1b2eac40f508edfbe9616e56c575f3bc

SHA256
7e01ca8ff8ff602259772589293902e64641b1936f69907093b72241ee547979

SHA512
257e0519abacee869a109f3fa4cbb4fcd93bbf92502a736bbba243a7177ac0120497207b25711783a8d3e42a4d5f6ca8d67e876e9fbe51b643910eb99d1517ef

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
7b7057f83df6acbe9c3b6fde35a70e61

SHA1
7f9cbf809adddf285d526a54b9149bedcc0a75f3

SHA256
31a3b3cb43260a4d713b3a2516c1cf1ce0b836f2fe753f45d6cbc9182fac64cf

SHA512
eb82f3f8215b0b8214f41e6628a7351a9bf40a689417fa1b2672dd941184ae0f72155bc050a91ac74e240f0cd2696916fee21d29304e10684cfadf243ee531cd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
810e3cf645f15f755b1b8a9066c81b6e

SHA1
a5fd6b633b5b86d6623c85503f86aa8e37fde236

SHA256
68d8d132981e41d3c29877a764fd22ab034dbd28043811b0cc4b4b78317d4d9f

SHA512
741a216ace12816a698dc320ace90e381b576eca6dd184784f43f1ed728f068b79916d80f2f3a35de86be21eed4161872727013a06114d35a93adce571f451bc

Download Submit
\Windows\System32\Locator.exe
Filesize
577KB

MD5
06ce64a1b66fd02150f475de5d316249

SHA1
f24bf913cef724b3926977990392a695096be146

SHA256
e61b6d198d3a1e5359144d4d70d78d813435dd705fe8e69addba8c9c17a49a35

SHA512
7ce1c4ae9b2c9cacc1ae5eebe6bf245366e333f3ba21780332a3a20260af5ff37ee5efb94a97e4800f56d1335f14f2c0a5cd08f1fd54968b69c79aaa67a3515a

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
6e1e29de2023e61e895b60d918848599

SHA1
7d542006b62b6cddac981baf64e59cb0f605b298

SHA256
4bcfa05764a3cdeac1221bf5855c9a1e31613931558c891a7d3dc59c0c6e865e

SHA512
3677fc53190e59ba78f62481481c76a403c3c0b8e43048650c33d64860dc0b2fb9cd33a5c233d91cab096b26e183e1df98c856c5d88c1349bf9f1c78568fe178

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
9b35c3a7799546e81a38ddaae448abb4

SHA1
cae10d0c7a93bd46677ac380539a5a828c72c217

SHA256
d230b07f87ebd38b1cf84974c78ab00f1c66bdb461d1a2e9d17c6e2409b082e6

SHA512
a9d27e5eab0b8e06fa9e892527cd982aeeb9c85d74b71f09ab4fb5f5c44c9e96b5d6c24b40b14dd10da5c85d536dd59a1d5cbb9f11f42ba15aa2af2bc8ba6b9f

Download Submit
\Windows\System32\msiexec.exe
Filesize
691KB

MD5
81a881fa1669640c554e60d6acd2282d

SHA1
d54bc9052ff17f18cd7ed1eb8e95d95870b46a34

SHA256
3ff0c006f2ff983f91a6c3307be51b1bd06d0428024ebc1e3b7edb8d8646946f

SHA512
b6cb47557a5dc28d9c719f63b2d6a841509e4517d2943f5369f4c3f52c7a1ce49b3d0b917432abc264d6f2a75a43e5d2c4fb402b6b04f625e633debdac66fbce

Download Submit
\Windows\System32\snmptrap.exe
Filesize
581KB

MD5
15f2302d9d81c4a53a43ed7d78966d1b

SHA1
45afcc487898435f3d897b9ce4b6a833c36aa73b

SHA256
f8dbc314014a5ef3ceb5ff2bd6518ce20b31a91236ff09fde2fcfd89618d4fb5

SHA512
521492d3861a4227299f341c8ed6a6c2217ef25ed1e6d8d3a739c3362f4931c8b374cc55f1731d7f9b717df4c0d32c2c8ffe295ba0a0327f8ba2e45465016174

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
2b0ed394c6fa752285f63b692f56c0a8

SHA1
1dc82c30310f9034d9dc3adece32b512079dc0c8

SHA256
a6dc982ead8709a93eb12c9a3a3508d667639df623c833d7e5bdabb5e294ea19

SHA512
408c064ed6f017ba506c6b038ab26fadb845c48ea23345dc7603a6f8b221a73e0e6d86c9820aa56efbaf275945bc99cdbe9bbc8c48df667f4594c2636aadd537

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
d39fe3ff6eb32a987d0688963f38fa9b

SHA1
ddb27007f0c8c424e561bdf1eed77dffd2493213

SHA256
3148e17f474bb4b101775230e3e845534f43c13c2657311190020bea85c5934e

SHA512
0c3db8f7c9d0f5ebd77fa8fdde3c8293fbe5dee019610368d8cad8cf768b269bdb54d75eb8c68b4ac35c4c6aa71375525e226eefe7a9b5342ba4518959456724

Download Submit
memory/268-421-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/268-709-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/280-204-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/280-325-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/316-836-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/316-825-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/320-811-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/320-806-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/340-287-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/340-580-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/568-227-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/568-327-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/664-668-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/664-633-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/828-191-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/828-194-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/828-185-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/828-304-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1004-859-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1004-848-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1148-733-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1148-740-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-305-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1656-632-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1664-451-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1664-233-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1688-147-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1688-139-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1688-145-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/1688-264-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1764-759-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1764-763-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1880-533-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1880-562-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2004-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2004-168-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2064-722-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2064-736-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2144-897-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2144-292-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2144-179-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2144-181-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2144-171-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2208-847-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2240-679-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2256-813-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2256-824-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2308-712-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2308-682-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-137-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2344-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2344-103-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2344-104-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2344-98-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2440-157-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2440-412-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2440-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2440-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2440-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2536-628-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2536-581-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-800-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-796-0x0000000003D50000-0x0000000003E0A000-memory.dmp

Filesize
744KB

Download
memory/2576-877-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2576-882-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2616-764-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2616-775-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2616-469-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2616-509-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2620-253-0x0000000000430000-0x00000000004E2000-memory.dmp

Filesize
712KB

Download
memory/2620-532-0x0000000000430000-0x00000000004E2000-memory.dmp

Filesize
712KB

Download
memory/2620-468-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2620-250-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2636-29-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2636-216-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2656-571-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2656-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2692-478-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2692-454-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2700-634-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2700-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-625-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2728-293-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2732-121-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2732-126-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2732-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-252-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-570-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2740-270-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2744-330-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2744-680-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2788-783-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2788-786-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2836-193-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2836-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2836-13-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2836-20-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2836-19-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2848-750-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2852-158-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2852-280-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2852-177-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2852-178-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2852-165-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2852-159-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2884-894-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-228-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2932-246-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2972-328-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2984-724-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2984-711-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3064-860-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3064-871-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download