72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
Size

1.8MB
MD5

31cc403a438f76e438297efdfb795169
SHA1

51e997030c4af45a97f60c9b2a0d7fb280b0fc79
SHA256

72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6
SHA512

e74956f518ac94d590a74247ad83edc28eb936ea937f5f8ecc15182033b3a32d8e905ed358e235807ef41274793fe4403382c5d4e0b0a06e71dae94170da3ca4
SSDEEP

49152:7x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAxgFIDRRAubt5M:7vbjVkjjCAzJnUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2652	alg.exe
1076	aspnet_state.exe
1112	mscorsvw.exe
2656	mscorsvw.exe
1888	mscorsvw.exe
832	mscorsvw.exe
632	ehRecvr.exe
2236	ehsched.exe
1892	elevation_service.exe
708	IEEtwCollector.exe
288	GROOVE.EXE
2496	maintenanceservice.exe
2408	dllhost.exe
548	OSE.EXE
2980	OSPPSVC.EXE
1068	mscorsvw.exe
1584	mscorsvw.exe
1600	mscorsvw.exe
2700	mscorsvw.exe
2360	mscorsvw.exe
1492	mscorsvw.exe
2300	mscorsvw.exe
332	mscorsvw.exe
796	mscorsvw.exe
2740	mscorsvw.exe
1600	mscorsvw.exe
2820	mscorsvw.exe
876	mscorsvw.exe
1160	mscorsvw.exe
2724	mscorsvw.exe
2816	mscorsvw.exe
760	mscorsvw.exe
2964	mscorsvw.exe
2764	mscorsvw.exe
2572	mscorsvw.exe
1592	mscorsvw.exe
2160	mscorsvw.exe
1008	mscorsvw.exe
2116	mscorsvw.exe
2292	mscorsvw.exe
1540	mscorsvw.exe
2820	mscorsvw.exe
676	mscorsvw.exe
876	mscorsvw.exe
2056	mscorsvw.exe
436	mscorsvw.exe
1684	mscorsvw.exe
2220	mscorsvw.exe
2244	mscorsvw.exe
2516	mscorsvw.exe
2872	mscorsvw.exe
2884	mscorsvw.exe
2572	mscorsvw.exe
2636	mscorsvw.exe
948	mscorsvw.exe
1208	mscorsvw.exe
1092	mscorsvw.exe
2088	mscorsvw.exe
1168	mscorsvw.exe
3016	mscorsvw.exe
268	mscorsvw.exe
1992	mscorsvw.exe
2180	mscorsvw.exe

Loads dropped DLL 54 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2056	mscorsvw.exe
2056	mscorsvw.exe
1684	mscorsvw.exe
1684	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
948	mscorsvw.exe
948	mscorsvw.exe
1092	mscorsvw.exe
1092	mscorsvw.exe
1168	mscorsvw.exe
1168	mscorsvw.exe
268	mscorsvw.exe
268	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
580	mscorsvw.exe
580	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
1372	mscorsvw.exe
1372	mscorsvw.exe
2480	mscorsvw.exe
2480	mscorsvw.exe
1092	mscorsvw.exe
1092	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
464	Process not Found
464	Process not Found
1692	msiexec.exe
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8ddd96aaae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_pt-BR.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_fa.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_el.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\psuser.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_vi.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\GoogleUpdateComRegisterShell64.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_de.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_fr.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_lt.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_et.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_cs.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_sl.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B75.tmp\goopdateres_sv.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41F0.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4AB6.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP45A8.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39E5.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6326.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC4C5.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBA69.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CB1.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6AEA1E7E-7FF4-4507-90D6-401D0A63362B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
768	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1808	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: 33	2732	EhTray.exe
Token: SeIncBasePriorityPrivilege	2732	EhTray.exe
Token: SeDebugPrivilege	768	ehRec.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: 33	2732	EhTray.exe
Token: SeIncBasePriorityPrivilege	2732	EhTray.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeDebugPrivilege	2652	alg.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeDebugPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1888	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	EhTray.exe
2732	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2732	EhTray.exe
2732	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1068	1888	mscorsvw.exe	45
PID 1888 wrote to memory of 1068	1888	mscorsvw.exe	45
PID 1888 wrote to memory of 1068	1888	mscorsvw.exe	45
PID 1888 wrote to memory of 1068	1888	mscorsvw.exe	45
PID 1888 wrote to memory of 1584	1888	mscorsvw.exe	46
PID 1888 wrote to memory of 1584	1888	mscorsvw.exe	46
PID 1888 wrote to memory of 1584	1888	mscorsvw.exe	46
PID 1888 wrote to memory of 1584	1888	mscorsvw.exe	46
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 2700	1888	mscorsvw.exe	48
PID 1888 wrote to memory of 2700	1888	mscorsvw.exe	48
PID 1888 wrote to memory of 2700	1888	mscorsvw.exe	48
PID 1888 wrote to memory of 2700	1888	mscorsvw.exe	48
PID 1888 wrote to memory of 2360	1888	mscorsvw.exe	49
PID 1888 wrote to memory of 2360	1888	mscorsvw.exe	49
PID 1888 wrote to memory of 2360	1888	mscorsvw.exe	49
PID 1888 wrote to memory of 2360	1888	mscorsvw.exe	49
PID 1888 wrote to memory of 1492	1888	mscorsvw.exe	50
PID 1888 wrote to memory of 1492	1888	mscorsvw.exe	50
PID 1888 wrote to memory of 1492	1888	mscorsvw.exe	50
PID 1888 wrote to memory of 1492	1888	mscorsvw.exe	50
PID 1888 wrote to memory of 2300	1888	mscorsvw.exe	51
PID 1888 wrote to memory of 2300	1888	mscorsvw.exe	51
PID 1888 wrote to memory of 2300	1888	mscorsvw.exe	51
PID 1888 wrote to memory of 2300	1888	mscorsvw.exe	51
PID 1888 wrote to memory of 332	1888	mscorsvw.exe	52
PID 1888 wrote to memory of 332	1888	mscorsvw.exe	52
PID 1888 wrote to memory of 332	1888	mscorsvw.exe	52
PID 1888 wrote to memory of 332	1888	mscorsvw.exe	52
PID 1888 wrote to memory of 796	1888	mscorsvw.exe	53
PID 1888 wrote to memory of 796	1888	mscorsvw.exe	53
PID 1888 wrote to memory of 796	1888	mscorsvw.exe	53
PID 1888 wrote to memory of 796	1888	mscorsvw.exe	53
PID 1888 wrote to memory of 2740	1888	mscorsvw.exe	54
PID 1888 wrote to memory of 2740	1888	mscorsvw.exe	54
PID 1888 wrote to memory of 2740	1888	mscorsvw.exe	54
PID 1888 wrote to memory of 2740	1888	mscorsvw.exe	54
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 1600	1888	mscorsvw.exe	56
PID 1888 wrote to memory of 2820	1888	mscorsvw.exe	58
PID 1888 wrote to memory of 2820	1888	mscorsvw.exe	58
PID 1888 wrote to memory of 2820	1888	mscorsvw.exe	58
PID 1888 wrote to memory of 2820	1888	mscorsvw.exe	58
PID 1888 wrote to memory of 876	1888	mscorsvw.exe	59
PID 1888 wrote to memory of 876	1888	mscorsvw.exe	59
PID 1888 wrote to memory of 876	1888	mscorsvw.exe	59
PID 1888 wrote to memory of 876	1888	mscorsvw.exe	59
PID 1888 wrote to memory of 1160	1888	mscorsvw.exe	60
PID 1888 wrote to memory of 1160	1888	mscorsvw.exe	60
PID 1888 wrote to memory of 1160	1888	mscorsvw.exe	60
PID 1888 wrote to memory of 1160	1888	mscorsvw.exe	60
PID 1888 wrote to memory of 2724	1888	mscorsvw.exe	61
PID 1888 wrote to memory of 2724	1888	mscorsvw.exe	61
PID 1888 wrote to memory of 2724	1888	mscorsvw.exe	61
PID 1888 wrote to memory of 2724	1888	mscorsvw.exe	61
PID 1888 wrote to memory of 2816	1888	mscorsvw.exe	62
PID 1888 wrote to memory of 2816	1888	mscorsvw.exe	62
PID 1888 wrote to memory of 2816	1888	mscorsvw.exe	62
PID 1888 wrote to memory of 2816	1888	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
"C:\Users\Admin\AppData\Local\Temp\72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1112

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 1ec -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 1dc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1e4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 274 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 248 -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 1ec -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 1e4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 1ec -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 1e4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 1ec -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 26c -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 218 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2c8 -NGENProcess 1d4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 218 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2d0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 218 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f8 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 318 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2bc -NGENProcess 324 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 334 -NGENProcess 220 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 220 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 340 -NGENProcess 324 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 318 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 34c -NGENProcess 300 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 300 -NGENProcess 344 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 354 -NGENProcess 324 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 324 -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 344 -NGENProcess 354 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 364 -NGENProcess 34c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 354 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 34c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 34c -NGENProcess 368 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 35c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 378 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 35c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 374 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 35c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 374 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 378 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 35c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 374 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 378 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3a8 -NGENProcess 35c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c4 -NGENProcess 374 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b0 -NGENProcess 3b4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3cc -NGENProcess 35c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 374 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3b4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 35c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 374 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3b4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3b4 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e8 -NGENProcess 374 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 374 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 374 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3cc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3cc -NGENProcess 3fc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 374 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 374 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 418 -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1dc -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 41c -NGENProcess 374 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 410 -NGENProcess 284 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 284 -NGENProcess 1dc -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 374 -NGENProcess 410 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3f8 -NGENProcess 41c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:632

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1892

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:708

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2408

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:548

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
PID:1692

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.4MB

MD5
bb705b15b68c5c229b7566b0145a121e

SHA1
9b87214e6d91d1c2cf770f834c45e35427b866d0

SHA256
2e323298f535eca93253a79d80009e678c9d295bd063d023547f326eea27097f

SHA512
376362dd7a75951f55c9b8ae6bd321a084c8e810dbac85cae77688ad8ba47665e52ecc0368063c699359d71c51a437a9235187d8c47cdb78e9553c21695b16ef

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
b5c0d96eceb415bf67cacbbbc26942ad

SHA1
620184f7e402472b55f8b15fb5a041038ca90c68

SHA256
7df35c2e8284257f5137b1f5da9026088f299950231ba1663a65c25128510b18

SHA512
0d0d210abbd6635c7beb2dafe6e042a12c5d4bf431f4f32cb4fca909e7f084936180a053aaf28e8326049a6a3670d8a0fc4e4ec3e23ae66e8d3e753c9a499a5a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
0abbb794e9f22e039b59ab56c735a9cf

SHA1
347be2ff305160c8f1b0aa13c8f89c00bab45813

SHA256
b40e4ac89c7059a425f0a3a34a0b9d8475923d0943f920a960b266692e404a59

SHA512
ad7b9fd79a2a4e3fc1011e8c02a46ae2a4f2006636d8e1680f7b8f9a347ebfb26fcf26cb4aeb59d8d9c69d412516b1767597b3535cc52722b9dada16237136ce

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
247f15b494d098df4410013cc39ed347

SHA1
e7ecd8db57f754058e8251d8b139779786d370c3

SHA256
a0e43dece8db4462040c8da6acfdfea82bd86b23363bf819db36f71df776223a

SHA512
0ffd1717c1a88062e6f40d4e90724a128cdb3c95864d4743bbadef78a5b9b590e86c63f2548207cf6c3b4cc575893cfc9f2328cbe27adfa7b5525d5eb702f7c2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
664699605807b6c15596d74ecf2e54e3

SHA1
5fc38e2da27c4df80f6099238b7bb7c4aba19366

SHA256
c7e870bfdd4d8941dc01b4544c0cfb1e1df6ee3003c500a53afd441306a45fd2

SHA512
34918fb7b4e1f9ed6870fbd7e74e985d794b0d9072721e99d405174580ab0552588115db867b1e5c36076c7c41aec8dedbca5933a7f74fc4ba9da954dbb81a8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
aa6bb3266c3265372f575237aefb44bd

SHA1
9422a1eef0cbad8835d5299ca24ecdc9d2e675df

SHA256
2ed037f949ed83cf2887cc818a5378faf3f83d71d55b62d0e72f11c53bce1c25

SHA512
32570500d40e8554af9a75ffaf9711eb088f0d298f3e61961b9ffe1141036cabb89c6d4d5f2925017f2094071cb09df10c24eb96be6437d260f3873237d31650

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
864dca51cd95613918745d1e068dbda2

SHA1
ffa56bbfdce8820158b4423b7b139a085ef37a23

SHA256
cdfba1edcc930bfbaa2d8bfb57d65d4750e0352dd53abadd681cc1efa0664382

SHA512
510d5862c6b71b5e70650d920a7fc4e82fc50dbdd3e5d8e29d2086a3d691710a6798c5c00d5463c8a2bc76d0e77d03de3d0279f8a2c1b9f20cc59255b9b27184

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
7fc97c3178f69091189e537f6527aa8f

SHA1
2f0c17f5ad7a81b670ae0572f31d3bcbd655aae9

SHA256
d74ec8c6f665a2218bbff6f696b14c224d8e4e94d96122653d1bd997e3b1fb0c

SHA512
f909fbeebcab1ddc7c6861be40f54edef0872e14b7bfba4cf28974f7f886674f72bbc773257d44531bb7ba156c170a7392bad19628c11594a0f52aab1f194a8b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e6c48a0a613381b1bbfa5cbe8f648597

SHA1
9e7ecdabed045792e5b00c0b33217140d948da93

SHA256
25347b8d607e9898e343764d683dd45ef2e4dfcaef8f65f3e5fc01521026c199

SHA512
c3f9ae36cef9e0796517aee305da9dd6271600492364a247913ffcf60e8c9add5da6ce73abbf133742ac5bb20f227d4de69763f3636994d1c08aa0bd814b49e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d69c768024f46eb07aa53fe6aacdd7a8

SHA1
a7b972a0fe1fc993b87b81b9fc3f25a6f934ceae

SHA256
eb9e8b06c0f4e37ca5b311c93d62a10295aeffe1a4056b59aa96da18d57e8d9d

SHA512
240808b788b69bc0750296af5098e3380a9dd5cd247b2817661235ff1b49bac47dbe4515c4d67f3fbae3cb46624cda3bd46628ab72ca2e79b8745ba87b26d5a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
5333f83af4ca1bee611cbb7e82e11e9b

SHA1
9f5942f9192cffcd4fd809e9f77e1a7b9050de57

SHA256
0ecd908e2ff5ecddcce3ff6497c3e450d8a8a9a322947984c26a6c11480e9678

SHA512
78096507c6ba42bbeb893e0d1869dc8a885b5042068b77d1938229502847d95d9b1dbf5efeb0c2bb7effd3a52ac19cab19ef1ea32c29bdc1e6e11f0e65fb804f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
9c7e2c76feecc5687f3e1afc379c431b

SHA1
b694d123063cf830d00edeca738c2e73352033e5

SHA256
ca5307c3121eb8e91c745ca09e78246fa844ab132dbfae52f6649cf6f6993a69

SHA512
e25292b18a56768622f4ebd4d26bd9fdc20483a64fb5621876cb0ebb5c090e09bd6d7c36eb52f900d33bbdee1849c4c91ad04bb07bf4a37363426afbb502b508

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
35a33569e85d2e2457d1a44b246bfb8b

SHA1
66155220656adea57aa3dbf81573ffbbbe8e5647

SHA256
4c679cb8aea62cacac396fff50be66419f0489dab54bb8cffbb302f61941f80f

SHA512
76b50525b6a474812e569331d8524ed9e1f94a2c5e96e293300489ec88feb7f7f6e36351e00b8d576acc7e8ef1ff578a0fbc6cce553166c24a0bdc3e0013b0bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
7108ab7e9e7be60dc0412ba9f6e9ad68

SHA1
65c6ba81c8a2d9f1de83ad66c2732c5e64e0097f

SHA256
c9dd3285db471bdb86d077de00bc8b0b7bf6cc79a574e7484d8f01d03b77cfd8

SHA512
4d59e0be14149dcad07ac58deb3c402ce579ac9ec599dd56f33ab81ec5447b679b5107252d5df7020daf3b3961b6df6abbbaec400cf685340cd33b27e33c20c0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.4MB

MD5
9213e07e77b2279fb131932cecdfd83a

SHA1
20cab8df90b4ebe6180b2d4a5a04d6a6b0e12516

SHA256
693f4743ee65aac60ed9e81f1db6c1f24261e1d932f6611c9a2e37d3f6df0ce8

SHA512
36a140bcafb317db551e16851708968799e7a08b37bc9150e2d90689c792cfed181c79e8512e549bf52528aee3daf04d5e2d3d14cbf583d4c823fcb1c18ee61d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8c871cf53250810a460bbd8680aed3e5

SHA1
51074fa41b5497a67008d9216b9385128adef9cc

SHA256
218a5cea5d70acfdbaeeae4edc6c0966f7845d5649a7b6f04662a0046339544b

SHA512
c8d83b8c66b267d36eed6bd29659f5b30f70fc904b10314644326676bb66daa163521668daa4e693c59c6870b5ceef96b739d7f33250750f6a69ac6fc511842c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
6d5aa52acf2204391427b4e21c642c85

SHA1
b6a02e17d3c8c50ac41ac4cee1bca555db19db7c

SHA256
c6c9deac0e4d05b96af8c05946ef76261617341582906fc5cf747d0a306f6524

SHA512
7d899a2141e3cc35aad2505d0a034dd84b0d08764d20eb88ae9f930e44b6b6812caeaf090bce7ddca33861d81b928a7fb2029919aca8f266f3d8c3638f17c22f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
275f3367edbccc7894e4e6e853e1b322

SHA1
fde38a00dd8013bd7548d9524c6f363985ed9a9f

SHA256
7b4269fb9fbb66abb27a91b496e2315e3fa045faf44d5ef1dc2c0875d74f23f8

SHA512
2a2a1eada99d2112d3efd03b3b9544c574fb6db17f88f722a811513049037b7eedd4ae0a26e4cfb43331830688e1cd36b6606ea29f1f249e890d4b5447c56251

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
81190cb78c77fdbd9c555e1cde915694

SHA1
9722a2366b37764221a70c573dee0003b87dc60a

SHA256
91368082d80125a72d4f54cf8a5e2246d2a55f0e68c255cd3c6be7907c0afec7

SHA512
7581052db18c9fcc3e10d4b04211676081612bf96c58c7cb0dc4224b2ab764f67cdf56bce19931395892ceac3cd3717443bd10436d4efde9a4df80435e2ac36a

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.3MB

MD5
ed1358d1e1bc95229090db2b143873c9

SHA1
8828098a3c1058ae558673a1cfb8de5119b92f3f

SHA256
adb75bf56bac7ed43e44d0903c77b488ed9e47d5c7c8ba8cc715b5cb4bc3560e

SHA512
62e723937e0b5eceb79b6ed16ade4c03b96ed12d2990c022cbf869eb58f73286cdc34e575d76e70705ed40159476d3ece72922d5fc440a47bfc2adf7da4c8de8

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.4MB

MD5
52e0ed6bd8942a3c912e64044eb405db

SHA1
8719de58ac807397c045f5462f83ff3cb1206d45

SHA256
ebba53f602c7583dd33833584992247ef46336113ae56508ca72cf05d6e7d6aa

SHA512
58cf2833d6a6fd0dfa1b89e97c6ecf15849f5410c85809a9db2e8312f22cc35ebdc56bd3efb5295ddf038e7d7381c9291dbe9bbc34c3dc157722e1687e073854

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3c9881ac34484781a82b55a0b694b7af\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
efab993f6d76cb94c248d54c7f3d6b3b

SHA1
89b77093b31b1548c98150017f99580f488bf744

SHA256
19640764d4dea76b09ba1291a49d1f3e304a63c8f90a8f45147dd29712494163

SHA512
2a40c295691eb83df9e58c6c8dc2bf25e2ab330ef2d851069149eef00864f0ac8bafd568c12d893d21c23051a4203a28c82761dc551829fb7e16ada98c48b1e5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7d4b553e6947c5b784119b4dc14d48ad\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
5005527c4940878c01f9818a840c2808

SHA1
63b491be308243796f28f1c0f900d6ea278194e1

SHA256
49d3f5e352ca18e7a5c0c1ee9eb47383043bcca1e5042fe417e1c27c23f0fd41

SHA512
fce65c08fec69dbe1331c29a234207963aebe3cb3a0cec1dc57bfa6521abcdee2b91c2c9723e067be45d1ebc87bd2df2e9cb97d41a150d08a62b6dd1d7a41437

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d85396cd01f5a04b463ab255e6b898cd\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
c371684b2d716f6a5e7d101a6a0fdc0f

SHA1
948b326b7e8d3d3dc3d0e5949176eb64f1e099f0

SHA256
d343626c86c8451b36f58b3eaa352ef2d2e14d36fadc5ed2977ca0fb266a4f36

SHA512
0e6583368aa3aae1c7870fdf1abede5ef4ee5a9386f73d7e80c6e72edf63f423df5c01d5c86d1c9a5b5eb3c8e9bb9ac0915e32ce9a14b9a005c44e28f973b16f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.4MB

MD5
b5efababa5f1f030fc6902e836be6677

SHA1
754cd2ff7952099034fa3857a36651f4b7031fc6

SHA256
4c77de3b13442cd45c4a465c6a364f101d5d0877bd72e5c9b8f27560abe5d7f9

SHA512
a95851a4de0836076f805dbaf9e7b1df68afd63bc77ce210b5f2d15bdc5fcdc75dc5c44245efa72634f619dcebf81953130eef240280694fbe57e3bd67aca7bc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
245a4776dcfb1325406f7ac2fe8c0ec8

SHA1
7c6ab7a42a8d50470097a66970da8303e61f99f9

SHA256
4f6d797e936d4ef05a99f6e63e5d731cd3e856e41e72a39fe69776c6427e3866

SHA512
bd8473b97abbac9b35d2803f361ff892c05ca9936aea260e762beb970f19d971ea4687ebfc3f5331938bfe4f042a9cb043860afc43283a701cbf497c43a7e14f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
367b493cdee74861c246c45792b1c62f

SHA1
b0196e7664cfbe2af842d1cfe158392c87fb5d32

SHA256
6ff4cfa7530f8122af4bd90c6e98b732934168a3d5be589f92c387c04a52694a

SHA512
56919f8d3dd781b3e256ae33e8e87f36c9d101a11f27f14e65c9345841add93392da7fa3e365aa60a3988fa6a824117b442ba0fd758b5e55d94cecd2b9fbf754

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
65c3cc4ca967586a9510f57fb513ebb5

SHA1
8d2407acefc5a4c8760157f05ee93f331dda268a

SHA256
a9e3988a215a35d6225a81640b881223bfccf7450ab05458d7cd4ca9b32ecd2f

SHA512
c56a83c085dfbea28eba0a237631a7520519686b4e483f2440fa6ad59e51ca7e48f5be88448e59b251b4a3b4e4cbd18460cd11f03fe34d2c18e4590eab0202af

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bb6dec07d40aa7caa7583bff898deb6f

SHA1
d6ab3e1ab0ae25c58894043323c1987936da4f81

SHA256
a87e728e3be676e5faa447ea7675f2065ed84ca8e69b6723487dfa5403556894

SHA512
190370eec6c639963876b7c35f97c2e7ddf2baaf9c0647b8e269e129debba477c535b0e74612ac1ba77d4257dbd504d47da13fd4d72492b486ad07d8963a71c7

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
7cd473abe65cdc7aa28e2266901af330

SHA1
71cc575f4efe9ff05e29768ff584b78a14fc9025

SHA256
8cb74725d5a11a1f8601c7774c8374b9130aebd4423503121b63cedf3d10a6f4

SHA512
6fcec65f5f9c32779882249b79854378a12438f5665357057f060ac7d3a7e542e064f632c01b8ad3bdb378297c87860b54cf9c3ed9dd620c7a85a6b863db705e

Download Submit
memory/288-292-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/288-504-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/332-562-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/332-570-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/436-908-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/548-560-0x000000002E000000-0x000000002E166000-memory.dmp

Filesize
1.4MB

Download
memory/548-312-0x000000002E000000-0x000000002E166000-memory.dmp

Filesize
1.4MB

Download
memory/632-157-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/632-808-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/632-151-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/632-150-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/632-406-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/632-173-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/632-172-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/676-864-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/676-874-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/708-190-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/708-196-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/708-189-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/708-476-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/708-802-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/760-706-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/796-600-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/796-582-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/832-141-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/832-370-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/876-877-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/876-658-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/876-639-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1008-767-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1068-371-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1068-426-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1076-94-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1076-206-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1112-98-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1112-97-0x0000000010000000-0x0000000010150000-memory.dmp

Filesize
1.3MB

Download
memory/1112-133-0x0000000010000000-0x0000000010150000-memory.dmp

Filesize
1.3MB

Download
memory/1112-103-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1160-669-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1492-545-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1492-526-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1540-853-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-422-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-443-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1592-751-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1600-633-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1600-472-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1600-442-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1808-149-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1808-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1808-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1808-281-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1808-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1888-824-0x0000000001330000-0x000000000133A000-memory.dmp

Filesize
40KB

Download
memory/1888-832-0x0000000001330000-0x00000000013B8000-memory.dmp

Filesize
544KB

Download
memory/1888-120-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1888-836-0x0000000001330000-0x0000000001396000-memory.dmp

Filesize
408KB

Download
memory/1888-835-0x0000000001330000-0x000000000135A000-memory.dmp

Filesize
168KB

Download
memory/1888-834-0x0000000001330000-0x0000000001338000-memory.dmp

Filesize
32KB

Download
memory/1888-833-0x0000000001330000-0x0000000001354000-memory.dmp

Filesize
144KB

Download
memory/1888-126-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1888-121-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1888-831-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/1888-830-0x0000000001330000-0x000000000141C000-memory.dmp

Filesize
944KB

Download
memory/1888-829-0x0000000001F50000-0x00000000020EE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-828-0x0000000001330000-0x00000000013D4000-memory.dmp

Filesize
656KB

Download
memory/1888-827-0x0000000001330000-0x00000000013BC000-memory.dmp

Filesize
560KB

Download
memory/1888-826-0x0000000001330000-0x000000000134A000-memory.dmp

Filesize
104KB

Download
memory/1888-825-0x0000000001330000-0x000000000134E000-memory.dmp

Filesize
120KB

Download
memory/1888-324-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1892-176-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1892-439-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1892-182-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1892-185-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2056-903-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2116-791-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-762-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2236-162-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2236-163-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2236-797-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2236-169-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2236-420-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2292-794-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-786-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-561-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2300-541-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2360-518-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2360-505-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2408-305-0x0000000100000000-0x0000000100146000-memory.dmp

Filesize
1.3MB

Download
memory/2496-309-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2496-293-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2572-740-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2652-16-0x0000000100000000-0x0000000100155000-memory.dmp

Filesize
1.3MB

Download
memory/2652-50-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2652-55-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2652-184-0x0000000100000000-0x0000000100155000-memory.dmp

Filesize
1.3MB

Download
memory/2656-113-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/2656-138-0x0000000010000000-0x0000000010158000-memory.dmp

Filesize
1.3MB

Download
memory/2700-503-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2700-478-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2724-682-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2724-670-0x0000000003C90000-0x0000000003D4A000-memory.dmp

Filesize
744KB

Download
memory/2740-597-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2740-616-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2764-721-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2816-672-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2816-695-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2820-640-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2820-630-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2820-863-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2964-710-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2980-580-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2980-325-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download