42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50

Analysis

max time kernel
137s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
Size

625KB
MD5

0db5c9ce28c8642ff313db5efe49f43a
SHA1

0ef56a30a569ed3c76d98cfbffbbe6fb21d8e18c
SHA256

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50
SHA512

01198071eccbeb9faf5e719f226c11f7d1ec1caeb7d511cb620580f1eabd369955074daccb375b1c824d1a6f10b60a4a1f63f902edf94e3a52a5df94c8e626a7
SSDEEP

12288:QJ/7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:i/Cks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exedllhost.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
2612	alg.exe
2764	aspnet_state.exe
2756	mscorsvw.exe
2680	mscorsvw.exe
580	mscorsvw.exe
1732	mscorsvw.exe
2856	ehRecvr.exe
1968	ehsched.exe
1696	elevation_service.exe
2108	IEEtwCollector.exe
2300	dllhost.exe
960	GROOVE.EXE
992	maintenanceservice.exe
1760	OSE.EXE
1672	OSPPSVC.EXE
2628	mscorsvw.exe
2148	mscorsvw.exe
3056	mscorsvw.exe
2756	mscorsvw.exe
568	mscorsvw.exe
2860	mscorsvw.exe
1580	mscorsvw.exe
1440	mscorsvw.exe
792	mscorsvw.exe
2784	mscorsvw.exe
2344	mscorsvw.exe
2476	mscorsvw.exe
1764	mscorsvw.exe
2384	mscorsvw.exe
1488	mscorsvw.exe
2396	mscorsvw.exe
2464	mscorsvw.exe
2296	mscorsvw.exe
3012	mscorsvw.exe
2460	mscorsvw.exe
108	mscorsvw.exe
2140	mscorsvw.exe
1112	mscorsvw.exe
2724	mscorsvw.exe
2060	mscorsvw.exe
2568	mscorsvw.exe
2736	mscorsvw.exe
1688	mscorsvw.exe
1292	mscorsvw.exe
1072	mscorsvw.exe
2308	mscorsvw.exe
2776	mscorsvw.exe
2232	mscorsvw.exe
2788	mscorsvw.exe
704	mscorsvw.exe
932	mscorsvw.exe
2444	mscorsvw.exe
2576	mscorsvw.exe
2756	mscorsvw.exe
2512	mscorsvw.exe
2036	mscorsvw.exe
2436	mscorsvw.exe
2928	mscorsvw.exe
2948	mscorsvw.exe
1952	mscorsvw.exe
1816	mscorsvw.exe
2544	mscorsvw.exe
2912	mscorsvw.exe

Loads dropped DLL 42 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
472
472
472
472
472
1072	mscorsvw.exe
1072	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
2576	mscorsvw.exe
2576	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
2436	mscorsvw.exe
2436	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe
2912	mscorsvw.exe
2912	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
2744	mscorsvw.exe
2744	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
2704	mscorsvw.exe
2704	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 10 IoCs

Processes:

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exealg.exemscorsvw.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e2c75894ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

Processes:

mscorsvw.exealg.exe42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exealg.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0E287B2B-004C-49A0-84F2-DF260AAC4B4A}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EBC.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E9.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP51C8.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP452B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4D36.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E17.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exemscorsvw.exeehRec.exeOSPPSVC.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ehRec.exe

pid process

848 ehRec.exe

pid	process
848	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1612	42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: 33	1644	EhTray.exe
Token: SeIncBasePriorityPrivilege	1644	EhTray.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeDebugPrivilege	848	ehRec.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: 33	1644	EhTray.exe
Token: SeIncBasePriorityPrivilege	1644	EhTray.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeDebugPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe
Token: SeShutdownPrivilege	1732	mscorsvw.exe
Token: SeShutdownPrivilege	580	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1644 EhTray.exe
1644 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1644 EhTray.exe
1644 EhTray.exe

pid	process
1644	EhTray.exe
1644	EhTray.exe

pid	process
1644	EhTray.exe
1644	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 580 wrote to memory of 2628	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2628	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2628	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2628	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2148	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2148	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2148	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2148	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 3056	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 3056	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 3056	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 3056	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2756	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2756	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2756	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2756	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 568	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 568	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 568	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 568	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2860	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2860	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2860	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2860	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1580	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1580	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1580	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1580	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1440	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1440	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1440	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1440	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 792	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 792	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 792	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 792	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2784	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2784	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2784	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2784	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2344	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2344	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2344	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2344	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2476	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2476	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2476	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2476	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1764	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1764	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1764	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1764	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2384	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2384	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2384	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2384	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1488	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1488	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1488	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 1488	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2396	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2396	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2396	580	mscorsvw.exe	mscorsvw.exe
PID 580 wrote to memory of 2396	580	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe
"C:\Users\Admin\AppData\Local\Temp\42c0bed7aafddfa185e9ab6a5ee49efdd55b484ae019d087da62b7fc01193c50.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2a0 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 25c -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a4 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 25c -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 244 -NGENProcess 1d0 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2c4 -NGENProcess 25c -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 2a0 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 1d0 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 25c -Pipe 21c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1d0 -NGENProcess 25c -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d4 -NGENProcess 2d0 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 25c -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 25c -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2ec -NGENProcess 2d0 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 32c -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 334 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 324 -NGENProcess 344 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 2c8 -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 34c -NGENProcess 324 -Pipe 344 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 324 -NGENProcess 32c -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 36c -NGENProcess 364 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 32c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 364 -NGENProcess 36c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 37c -NGENProcess 368 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 36c -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 32c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 36c -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 32c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 388 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 32c -Pipe 38c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 36c -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b0 -NGENProcess 3ac -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 394 -NGENProcess 36c -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 394 -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 384 -NGENProcess 36c -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 36c -NGENProcess 3a4 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 32c -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 384 -NGENProcess 3d0 -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3ac -NGENProcess 3c4 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3d4 -NGENProcess 32c -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3d0 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d0 -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e0 -NGENProcess 32c -Pipe 3cc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 394 -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 32c -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 394 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 32c -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 394 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 394 -NGENProcess 3f4 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 408 -NGENProcess 32c -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 32c -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 410 -NGENProcess 3f4 -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 418 -NGENProcess 3fc -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 414 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f4 -NGENProcess 424 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 32c -NGENProcess 414 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 428 -NGENProcess 41c -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 424 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 414 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 41c -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 424 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 414 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 41c -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 424 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 414 -Pipe 430 -Comment "NGen Worker Process"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 41c -Pipe 434 -Comment "NGen Worker Process"
2⤵
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 41c -NGENProcess 440 -Pipe 454 -Comment "NGen Worker Process"
2⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 1d8 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 1d8 -NGENProcess 41c -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 44c -NGENProcess 260 -Pipe 450 -Comment "NGen Worker Process"
2⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 43c -NGENProcess 1ec -Pipe 444 -Comment "NGen Worker Process"
2⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 448 -NGENProcess 41c -Pipe 438 -Comment "NGen Worker Process"
2⤵
PID:1632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2060

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2856

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2300

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:992

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1760

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
706KB

MD5
93a2b3a5a3909e6dda5ccd50b529f727

SHA1
ff0897917df9aa985713d5a90d0ee759eecbb240

SHA256
ae453f842c43dfa9e2a31f8141deef6f1e93795622ac0d664d69e36f4b68fe3e

SHA512
9c5967d044975336e510d491a578813fc5eb9b9d380e0834a28d4419339c7161ea9af959506dda3aa9b287fcb4817a7385b0374aed37b93864d3c33b273c51b9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.6MB

MD5
b29e7a7559046b29e4f68a695bdaf0a5

SHA1
613cf2ab7ec7bf3a9128c0227d29ada90eda6e7f

SHA256
6c8fb20281457df31d6137242dc71ef1bb548e295de941bc4a5ef94c6215ec6a

SHA512
355116ab48220711819cec27a5c9833bd52b58f07523be9b0293d954f1d72fa45fa9cc77c0235253b0a4c0172410fb892f8113e02c8f864bd76aa02cb7c11d13

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
1.3MB

MD5
f4f3489703ec995fde0eb916bbd2d18e

SHA1
3a5f50d70552e1093a8bcf897c37fb457ce9175f

SHA256
0d71d7d8ed1a87f45f758d2163534e1fdb9f6c75a39f048311fafc1f629d067e

SHA512
94dc746209d4754d9402578f142070439109df49cdcf02f81a1a8534dad4d46905d0a2812fb0582dd3e3c7f24e036fc17bb9c2595d23c990752edafd92fcdf87

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
Filesize
1.0MB

MD5
75a7d97751d6657723cb92c1564c79d5

SHA1
4c3cd058b2ff3946c73811b621268173a9b47106

SHA256
7e769780d9b7d3b762b741ad1460343b59813e5b965334fe8678726d46dea2f2

SHA512
483577fbc61c80c350413a90d9c7a406a541ae31515ebf78ce1167281053ddb33abe0bfb7ce36c59478bf7fd4dddaed5438d1ec29ef4e2649eaf6f566e6e86dd

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
706KB

MD5
130b29b26cc370435b4ca7e881ff1c21

SHA1
abc785772f68e080ffb9b3d099c88d80192e3eef

SHA256
53de64639852dc5206500b4cabadad3a7cf90eb5bd756cf34aceb919e8b0c04a

SHA512
25f359dc3a3e4e51c4532b6765126613a4820458696d6629d86062c2680e3a36e5fbd2029c0e32cd1fad27ad0b349fbcf09f59698e4973f660afb86b7064caab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
0782f5bda94c176b0b7f7d958ffca28f

SHA1
f88455bbe4b3875f06f6b72e84a041e151c7aec9

SHA256
bd4cfe0c68fb184226d4891acce30029b7a8c1906155162d1e0f38f35bc539bc

SHA512
f20242bc61dcbc9acd6ccbcfd64d044e66c891e8f7c238788c828e4dd43afd9f4eee7246a885774ff03e8820dab8e84d5c2210e06d5416b07c0d3a5157f46739

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
0f3e68869ecb62abec881476c07a441f

SHA1
fd8a89ef08fd52cb2d03ebc3a5df60399e644103

SHA256
1ca3d1a1e0e269b93579a79744c8c2d738a3d53613e41ae1ca45eabaf536a660

SHA512
ba0524ac7acc95661cdcfa40bf5e7fe21d04a74f9397af9c5c7d100a729367d0661dbd4ead2eb4f22c7c1f4d06dbdce5aa9c9e3f80c3aa32e6d60a9f355690af

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
c8a5d236b690916f973f757d4cbd37a3

SHA1
a1da3ff3f5a5deb5ef4e463f61a0fcfeb21076a9

SHA256
1d16c994a7143a1d09038e0368a789f2c696e3b7481575894b4db39350494c00

SHA512
548e48655654ca0992545d8580cc78bb5073a99f4586e1418fccca9e862b90f68548a6eebb6ddeb5eb601f8619dc8aa315968c637c910708139741795782c492

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
de514aa13450e619862c90fce2b51213

SHA1
6368cc21675999e46c813869cf7ba95adbb16ba6

SHA256
cf4de4fd3bde54b60aec42d38396cf8bf75fe74428f35cce2b7d979c0482a447

SHA512
caa5aca200b79137c403b9826d0833df4454fa1fff507e745d5e1ca1b2b218d88f1d49ff4e0ee6a08dd8a3987961d05382b6625373ddbe4465554ac53ec2ea30

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
83b3dbd2c947f7a92232d2d3ca891459

SHA1
c2b696b67188f9f59c9aeb9757bc7893ef72771b

SHA256
425ec42706c6a467d6231a5ac4a142fb93aa05fbb0c5840327ca5a62d2b99704

SHA512
9e7af7ac85a5668faaeac788afe052bd6da001aa6ee3e163e97328c130442a54d1c1319648b8061a2dacf43b5556320f55e288ee138cb75c93a9f708e22e2c16

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
af3865e6ec5bc854ecd491c8276dd949

SHA1
a4076e8bf5d2891b4a045a8195704a29d7c48019

SHA256
f31c383b2ad2711ac76e95fd07c015c749492c903c2b19238742f29148bb917a

SHA512
9ff9f3d3a8ea90c581ad54d8de88bfd5c0eed08814b4329de5cac182a1c827153cd1f7a49a300d2ec4944798b0a2e3658cb19707493d5a0d2ee1fd8842d336d1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
40f81260f179cbc5b6cbba1f9b43e976

SHA1
6badb475456a61f25fc5de3355e57679d6d9e4a3

SHA256
3f43bc7b23da1662dbd88e27b308e3ab7a2ef5d3a4b8bc0d9f9f248cef7b11a7

SHA512
dc4a739531f5ebcc208cccc4ab62e7cf8c8a3530542180f3a7e74385914cd3442b4a5a32afaac1d4896372a27795c8cec8a5712364fa6eb9981d442c14c52bd1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
f4386fdb291d70b602aa20297dcf9bf8

SHA1
3ce8f8b96ad07b92663217d5b91d8f9fef36efc9

SHA256
b8177c80f035a6449e080de9cbf123dbf42fa7b2c516553f8f381eb7a5b5f217

SHA512
4160a16fe7b362d9473dc574de62100eb9580491f5e96e20acbfe700beb9583c6ffbde4ba53171ccf9bdc522d940b1b18eb34993b66f32d31207f0faa5fd7a81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
648KB

MD5
ba82111d1e2be1f76f2bfb553411359b

SHA1
c783be157a8ff8f04680b39424126b50f250d4ea

SHA256
fff7eb75c18ed3d5743a029814539d5a5b1b359802f29b1be74dfdb8ebb8f94f

SHA512
19495417df48b1cb56ff53a19d755f41ed35b23073e023d1112fa32007cf2699c4084ab103fe153fbf73dbcfd49b00b84bd4ee2501ea1d030af5f9a1229e7c5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
3160abe3beec94592b24e5577b88bbca

SHA1
617ca3bd259911484b325d0488de0cd149d685d8

SHA256
9e834d46472daf63eb4acbd94bab7a85cbfedc6b0a69245affe5581cf956bfc9

SHA512
5acd72269697ad0f5698a35ece8c0e51172162fb7203fb47c4fe422958417c14423a6603906c42757955a249c32c3029cb076246be32d0f1a69223b5a08f4cb5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
678KB

MD5
1a67d278f8a01697f2976bbc49d44737

SHA1
49bb00d3887e7b1804f0e6d88c693773e0bf3b02

SHA256
608dfabcc3f1c5e21675d0e34cfd16252347f2e64564860c75f5c4607b0d4b2d

SHA512
8330e93615604f634006bec869acae103a97a84b170b7d4b3d53ff0b8f72ced17c1b5f3e5522fbde477ad534a7fa83bc1b0cccab4e76e21bfb98cbfa7220e7e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
625KB

MD5
34a6710ec005530e88cf958011665ceb

SHA1
dd055f42abd4aa2af7951d5c6bae87d9cd823661

SHA256
70638d32080988a3c13e49d70d9e9ed2e389127b52e6e4d5152b47e583429379

SHA512
72cff9235a2d49076601eae993c8717725a9ae3bb25cba462d1c30bc1e933dcc1702481015b5df8d174081281b7d92259334b6e726ea661fcc7d205b3c4effff

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
bc63df0abfa64f810244471744f545e4

SHA1
c0006e91f12107f98a3343e0292aee037abbd52c

SHA256
5964c3c5c456e0d4c8addd67e9d1a1395255ad79504f93bad32ed5838387938b

SHA512
4ef62f3c0d64a71a34f259b5cf11a14a7100de5a9858a04f07a4e164c3b6ee0d7f4e006ecfa995e47da2ff47e785d547ac1b579a041c58da84ae2b50d97a5848

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
656KB

MD5
c436565f930d41fdbdf328b46cb0c0b4

SHA1
4c05218640e13c093eb6b72e04a3c5b3cb1e735d

SHA256
ed784b6b09bd7f19577b7955b379366a5f46212e235c8fdc04ac0be1d0d8c044

SHA512
6d2020a04aee31ac4c3071ed8e045d45f0fa621da70695a28c20ad0e6d1523c90671f0d09ba9476f20331126aa59976b8965c5ea7bf8a44d9fec7bafe951eb54

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
9494e833164eb6602dd4e202460517bd

SHA1
db2002deef6159e06d06619640fc470b602b424b

SHA256
4a9878952b20660e395ba756d6e52c8344b932ead6a118560a7d254f617891e4

SHA512
f6b90eea4e1e519d55e52286b54652d53fd2a9cbf7c97dcb66dce20449dccc1d74c11142483e276f14b90af92e6cd6d40b59a08988fc8438f4b1d79c5434b0ce

Download Submit
C:\Windows\System32\dllhost.exe
Filesize
577KB

MD5
9eda44ef61006711ad6e9919d6dc9fb3

SHA1
6028e15519db7df8c96325d348070e4e5657d7ba

SHA256
94f3cb13b5bdb8df112cf12ca75c9ce244b15b883b4e3dcc367c9f60fe9d9b8c

SHA512
2bd613626e8074dcf58a45c4e3ed5eaf8b93022f1b2598797dc873c398bae372e8bdbe0af45cee188ccd9ae50bff22f825046e8b6eaf52e785b02b27c007162f

Download Submit
C:\Windows\System32\ieetwcollector.exe
Filesize
674KB

MD5
ee045cb976b7e4377061bdad871ad913

SHA1
6503fe0bb2d03687c95db0d6a83d43da37843b1e

SHA256
b750a5f11db614d67d12e31f37ef268d6819346a19a79d13726678862d859045

SHA512
5fd4c6687346962dc9086fe4f285554d555cc47b797080d31429b69ca103960b22b251858b2075557ba2a1c1d7f31979feada8f5ed040d16cdf27c0387718555

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\19e119d01ac5a79cb66fbdc5192d99a6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
b06005df2a57ea696421f61737bf9b98

SHA1
f851be48514766da5f871b9d6cebb79d1fc807d5

SHA256
0b7ab97147e19572989453bd87d334a22473297859a82e34ffbecc2314af07e3

SHA512
d2396337f53e9b52d975628c3ac680b64ed668f9f0c6fc8361fb1ec5889c743d5598e3c90efaf5522eaf5f8b2c224bad39e237f48820c83f40905bc4bef86303

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\60d83ec672c581fd2f9df7cdde250543\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
991f858506fc2272e1599b0041443ba9

SHA1
05db4b5552568e118bdca9af282106918bf08ba4

SHA256
420e5a13719cf8ed3daeaa58ec1ae97ae6c9405aeb756d3fe15f8d6ea0f2d89b

SHA512
429428b9a62da2b8e241b3dc8137e93ad14a61f70a1201dd85f18acfb51b2063f4516281b7c9e820d47419329c11981d2c03cf16df4bd3a1074058e80cb2bc30

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\737a9f5abc6a1bac577e9b4c031e4c88\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
6e0fdea3edb4e204b17860edc3792af3

SHA1
597c078f450fb51a948e80de3e223b5fce6b68c5

SHA256
71d70c1430b1aea9df346a00e29ee9bc952cd5a20a9a828fe37ce038dac4cb9a

SHA512
72ae50c5000fc306c968967adbe813fce3192a2e7a083abc8b76b7e65f90ae313fe9369afd0f71fd7ed5796539f84bff9af321239985d3874e3940e5c1d941d1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
bac36350bf0aabf682b7c52ccd3fe196

SHA1
2165507e1a63b92acb4db27ac16b72c971535a5f

SHA256
102f784a09178d5b9ef5843feb0ce8d7d766b2886c419e8466371d3b96d3cd66

SHA512
ea35e2dfd9e4cd087d76a95a973ceeb34a367045270988312fd22aef99cea83f63055464562cafb628ad47a73da66516d53eb04f9be52afebc92b1d551a24ff1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
603KB

MD5
91d236dd8557c975aea45a9e72c55621

SHA1
fe1a6e3b0190e15618ce2d2e751c38ad9dda9458

SHA256
26b0066d4704901ceda2f7634f15590ffc343fc23b9781d3b3d4775202090396

SHA512
ddd24f1a3ea1d546cf21fda3edd36f218a2e6412ff120c91c2673f86a5c92b71165f3c5160b0b7e9ba4d8d02e074fc5be922f287282579027d217154aa8623fb

Download Submit
\Windows\System32\alg.exe
Filesize
644KB

MD5
6dfe85082cb3f0a8be15dae806aaf450

SHA1
1d1164b78f9cc2f8867cd9cd7782920325a9fa96

SHA256
15150070f61e37d7cc9893367c81b9c50582b745a8fabd8a1c179676a4cafbcf

SHA512
ab74acca4f796169b501f4177f549f5bb5ebf13e48e5d651f3b3ed6a9845f6f1631b43ebdcf25fe3b6950124ec392fc84d33b4be95f0cdc2eed714f61b29be28

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
b91a7e9c19fe2f2e4d3e3165f0e8f652

SHA1
e7337607499c4c40090e8a110346d371471f4db0

SHA256
6e4295fbfc3d085f9f7e4f938d4ba3e12a979837ffbb703621d12f8d32e5e8f9

SHA512
a90c03a12be2dcc97e0a912a21375506d27bddb286a8c7599b5087daf012c98989b58cfc972804d011d61edcbb6556f5d702be737c4edd5af030e6695a734922

Download Submit
\Windows\ehome\ehsched.exe
Filesize
691KB

MD5
7d196227ee7270de53fcd15ef2c505c9

SHA1
ce3df23e214a48c9d13369ad77d5554902390b50

SHA256
db8e4deac437756b52625d9447b4e7bd7766ae8a3581016ed15c405e9a57218d

SHA512
a890c53baa000df34fcaae37caf2b0ed0af6775293071887aecc6021b60f6a7f1e7c348977c4479d1c33930d05a82c97327d0a8017dbe3354b690ed6eddd26dd

Download Submit
memory/108-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/568-445-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/568-430-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/580-717-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/580-64-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/580-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/580-59-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/580-193-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/580-709-0x0000000001130000-0x000000000114A000-memory.dmp

Filesize
104KB

Download
memory/580-710-0x0000000001130000-0x00000000011BC000-memory.dmp

Filesize
560KB

Download
memory/580-708-0x0000000001130000-0x000000000114E000-memory.dmp

Filesize
120KB

Download
memory/580-707-0x0000000001130000-0x000000000113A000-memory.dmp

Filesize
40KB

Download
memory/580-711-0x0000000001130000-0x00000000011D4000-memory.dmp

Filesize
656KB

Download
memory/580-712-0x0000000001EA0000-0x000000000203E000-memory.dmp

Filesize
1.6MB

Download
memory/580-713-0x0000000001130000-0x000000000121C000-memory.dmp

Filesize
944KB

Download
memory/580-714-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/580-715-0x0000000001130000-0x00000000011B8000-memory.dmp

Filesize
544KB

Download
memory/580-716-0x0000000001130000-0x0000000001154000-memory.dmp

Filesize
144KB

Download
memory/580-719-0x0000000001130000-0x0000000001196000-memory.dmp

Filesize
408KB

Download
memory/580-718-0x0000000001130000-0x000000000115A000-memory.dmp

Filesize
168KB

Download
memory/792-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/792-477-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/960-418-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/960-165-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/992-167-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/992-179-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1112-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1112-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-472-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1440-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1488-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1488-555-0x0000000003D80000-0x0000000003E3A000-memory.dmp

Filesize
744KB

Download
memory/1580-462-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1580-457-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1612-89-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1612-6-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/1612-1-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/1612-140-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1612-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1672-471-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1672-205-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1696-376-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-117-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1696-123-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1696-125-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1732-79-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1732-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1732-72-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1732-202-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1760-436-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1760-192-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1764-542-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1764-524-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1968-104-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1968-105-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1968-111-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1968-681-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1968-367-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2060-678-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2060-664-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2108-684-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2108-138-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2140-635-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2140-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2148-403-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2148-390-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2296-600-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2300-152-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2300-392-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2344-500-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-519-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2384-554-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2384-534-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-578-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2460-605-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2460-623-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-569-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2464-588-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-523-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-720-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2568-737-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2612-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2612-20-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2612-116-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2612-13-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2612-19-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2628-389-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2628-215-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2680-66-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2680-45-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2724-675-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2724-654-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2756-419-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2756-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2756-30-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/2756-35-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/2756-431-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2756-52-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2764-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2764-153-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2784-501-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2784-489-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2856-100-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2856-90-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2856-97-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2856-91-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2856-214-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2856-101-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2856-690-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2860-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-456-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3012-604-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3056-416-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3056-400-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download