7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Size

1.4MB
MD5

56cbb59988cbb2555fe6cd562d29c356
SHA1

483223c7c459f1c8a22f2abf1e8ef2ad29c85481
SHA256

7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c
SHA512

df9cf829d0455f71196a5c5d3ff16286900a10473e0fc622792eac0fbfb1e8428473adcb30be8105f0684c2125a84e4f13c08400d513811eb6af084d47f3e09c
SSDEEP

24576:wfGxypdAThXbqT+KzWEKS0nFz1MaoCG9:+GApdATcWEKdnFzypb9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2516	alg.exe
2412	aspnet_state.exe
2408	mscorsvw.exe
1640	mscorsvw.exe
1568	mscorsvw.exe
2264	mscorsvw.exe
1972	dllhost.exe
1100	ehRecvr.exe
928	ehsched.exe
828	elevation_service.exe
1680	IEEtwCollector.exe
1264	GROOVE.EXE
2292	maintenanceservice.exe
1604	mscorsvw.exe
2684	msdtc.exe
2164	msiexec.exe
2840	OSE.EXE
2104	OSPPSVC.EXE
1968	perfhost.exe
1864	mscorsvw.exe
2984	locator.exe
1828	mscorsvw.exe
1256	snmptrap.exe
2224	vds.exe
2904	vssvc.exe
2928	wbengine.exe
2252	mscorsvw.exe
1868	WmiApSrv.exe
1512	mscorsvw.exe
2600	wmpnetwk.exe
2536	SearchIndexer.exe
1872	mscorsvw.exe
2772	mscorsvw.exe
956	mscorsvw.exe
1832	mscorsvw.exe
1416	mscorsvw.exe
2552	mscorsvw.exe
896	mscorsvw.exe
2592	mscorsvw.exe
2480	mscorsvw.exe
1760	mscorsvw.exe
320	mscorsvw.exe
1408	mscorsvw.exe
1512	mscorsvw.exe
2188	mscorsvw.exe
3008	mscorsvw.exe
2160	mscorsvw.exe
2932	mscorsvw.exe
1760	mscorsvw.exe
1228	mscorsvw.exe
1476	mscorsvw.exe
3004	mscorsvw.exe
2988	mscorsvw.exe
2960	mscorsvw.exe
2764	mscorsvw.exe
2876	mscorsvw.exe
2388	mscorsvw.exe
2316	mscorsvw.exe
1548	mscorsvw.exe
2372	mscorsvw.exe
300	mscorsvw.exe
1076	mscorsvw.exe
2312	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
2164	msiexec.exe
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
760	Process not Found
2876	mscorsvw.exe
2876	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2372	mscorsvw.exe
2372	mscorsvw.exe
1076	mscorsvw.exe
1076	mscorsvw.exe
1652	mscorsvw.exe
1652	mscorsvw.exe
1764	mscorsvw.exe
1764	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe
1660	mscorsvw.exe
1660	mscorsvw.exe
1440	mscorsvw.exe
1440	mscorsvw.exe
1532	mscorsvw.exe
1532	mscorsvw.exe
1680	mscorsvw.exe
1680	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe
616	mscorsvw.exe
616	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
1312	mscorsvw.exe
1312	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9b3bad44ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\locator.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\System32\alg.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C53.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP67E7.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8517.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP871A.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP627B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5283.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
940	ehRec.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: 33	516	EhTray.exe
Token: SeIncBasePriorityPrivilege	516	EhTray.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeDebugPrivilege	940	ehRec.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeSecurityPrivilege	2164	msiexec.exe
Token: 33	516	EhTray.exe
Token: SeIncBasePriorityPrivilege	516	EhTray.exe
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeBackupPrivilege	2928	wbengine.exe
Token: SeRestorePrivilege	2928	wbengine.exe
Token: SeSecurityPrivilege	2928	wbengine.exe
Token: SeManageVolumePrivilege	2536	SearchIndexer.exe
Token: 33	2600	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2600	wmpnetwk.exe
Token: 33	2536	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2536	SearchIndexer.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeDebugPrivilege	2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeDebugPrivilege	2484	7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe
Token: SeShutdownPrivilege	2264	mscorsvw.exe
Token: SeShutdownPrivilege	1568	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
516	EhTray.exe
516	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
516	EhTray.exe
516	EhTray.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
940	SearchProtocolHost.exe
940	SearchProtocolHost.exe
940	SearchProtocolHost.exe
940	SearchProtocolHost.exe
940	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
2024	SearchProtocolHost.exe
940	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1604	1568	mscorsvw.exe	43
PID 1568 wrote to memory of 1604	1568	mscorsvw.exe	43
PID 1568 wrote to memory of 1604	1568	mscorsvw.exe	43
PID 1568 wrote to memory of 1604	1568	mscorsvw.exe	43
PID 1568 wrote to memory of 1864	1568	mscorsvw.exe	49
PID 1568 wrote to memory of 1864	1568	mscorsvw.exe	49
PID 1568 wrote to memory of 1864	1568	mscorsvw.exe	49
PID 1568 wrote to memory of 1864	1568	mscorsvw.exe	49
PID 1568 wrote to memory of 1828	1568	mscorsvw.exe	51
PID 1568 wrote to memory of 1828	1568	mscorsvw.exe	51
PID 1568 wrote to memory of 1828	1568	mscorsvw.exe	51
PID 1568 wrote to memory of 1828	1568	mscorsvw.exe	51
PID 1568 wrote to memory of 2252	1568	mscorsvw.exe	56
PID 1568 wrote to memory of 2252	1568	mscorsvw.exe	56
PID 1568 wrote to memory of 2252	1568	mscorsvw.exe	56
PID 1568 wrote to memory of 2252	1568	mscorsvw.exe	56
PID 1568 wrote to memory of 1512	1568	mscorsvw.exe	78
PID 1568 wrote to memory of 1512	1568	mscorsvw.exe	78
PID 1568 wrote to memory of 1512	1568	mscorsvw.exe	78
PID 1568 wrote to memory of 1512	1568	mscorsvw.exe	78
PID 2536 wrote to memory of 940	2536	SearchIndexer.exe	63
PID 2536 wrote to memory of 940	2536	SearchIndexer.exe	63
PID 2536 wrote to memory of 940	2536	SearchIndexer.exe	63
PID 2536 wrote to memory of 2380	2536	SearchIndexer.exe	64
PID 2536 wrote to memory of 2380	2536	SearchIndexer.exe	64
PID 2536 wrote to memory of 2380	2536	SearchIndexer.exe	64
PID 1568 wrote to memory of 1872	1568	mscorsvw.exe	65
PID 1568 wrote to memory of 1872	1568	mscorsvw.exe	65
PID 1568 wrote to memory of 1872	1568	mscorsvw.exe	65
PID 1568 wrote to memory of 1872	1568	mscorsvw.exe	65
PID 1568 wrote to memory of 2772	1568	mscorsvw.exe	66
PID 1568 wrote to memory of 2772	1568	mscorsvw.exe	66
PID 1568 wrote to memory of 2772	1568	mscorsvw.exe	66
PID 1568 wrote to memory of 2772	1568	mscorsvw.exe	66
PID 1568 wrote to memory of 956	1568	mscorsvw.exe	67
PID 1568 wrote to memory of 956	1568	mscorsvw.exe	67
PID 1568 wrote to memory of 956	1568	mscorsvw.exe	67
PID 1568 wrote to memory of 956	1568	mscorsvw.exe	67
PID 1568 wrote to memory of 1832	1568	mscorsvw.exe	68
PID 1568 wrote to memory of 1832	1568	mscorsvw.exe	68
PID 1568 wrote to memory of 1832	1568	mscorsvw.exe	68
PID 1568 wrote to memory of 1832	1568	mscorsvw.exe	68
PID 2536 wrote to memory of 2024	2536	SearchIndexer.exe	69
PID 2536 wrote to memory of 2024	2536	SearchIndexer.exe	69
PID 2536 wrote to memory of 2024	2536	SearchIndexer.exe	69
PID 1568 wrote to memory of 1416	1568	mscorsvw.exe	70
PID 1568 wrote to memory of 1416	1568	mscorsvw.exe	70
PID 1568 wrote to memory of 1416	1568	mscorsvw.exe	70
PID 1568 wrote to memory of 1416	1568	mscorsvw.exe	70
PID 1568 wrote to memory of 2552	1568	mscorsvw.exe	71
PID 1568 wrote to memory of 2552	1568	mscorsvw.exe	71
PID 1568 wrote to memory of 2552	1568	mscorsvw.exe	71
PID 1568 wrote to memory of 2552	1568	mscorsvw.exe	71
PID 1568 wrote to memory of 896	1568	mscorsvw.exe	72
PID 1568 wrote to memory of 896	1568	mscorsvw.exe	72
PID 1568 wrote to memory of 896	1568	mscorsvw.exe	72
PID 1568 wrote to memory of 896	1568	mscorsvw.exe	72
PID 1568 wrote to memory of 2592	1568	mscorsvw.exe	73
PID 1568 wrote to memory of 2592	1568	mscorsvw.exe	73
PID 1568 wrote to memory of 2592	1568	mscorsvw.exe	73
PID 1568 wrote to memory of 2592	1568	mscorsvw.exe	73
PID 1568 wrote to memory of 2480	1568	mscorsvw.exe	74
PID 1568 wrote to memory of 2480	1568	mscorsvw.exe	74
PID 1568 wrote to memory of 2480	1568	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe
"C:\Users\Admin\AppData\Local\Temp\7bb12716aaaf974192a06cbec45df917a0965dc5870e67480eb4efaa9f00186c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 25c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 244 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 250 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 1d4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 1e8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 270 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 26c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 1e8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 250 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 218 -NGENProcess 2a0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 23c -NGENProcess 298 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 21c -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2a0 -NGENProcess 298 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 280 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1c4 -NGENProcess 21c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2ac -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 298 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 21c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 21c -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 294 -NGENProcess 280 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1e8 -NGENProcess 2a8 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 294 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 294 -NGENProcess 1e8 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 1e8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1e8 -NGENProcess 2c0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2d0 -NGENProcess 294 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 294 -NGENProcess 2cc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2e0 -NGENProcess 31c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 304 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 324 -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2e0 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 338 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 304 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 334 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 304 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 32c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 334 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 34c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 340 -NGENProcess 334 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 360 -NGENProcess 350 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 364 -NGENProcess 360 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 36c -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 354 -NGENProcess 304 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 374 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 304 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 37c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 364 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 388 -NGENProcess 384 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 380 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 384 -NGENProcess 394 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 398 -NGENProcess 37c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 380 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 394 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1100

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:828

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2840

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2380
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
cec54bf75dba56ba1e0f4cbfe4e756a1

SHA1
b8db0bf18c87c230a6db7328ac7834221a38dd1e

SHA256
fcc5a56658de1e2b4fff64ab2640b8ca145ba9668f94f527d242ab9fe61ed0e7

SHA512
8e2778170b875519e74df8a64c645ea19bce1cff9c27fee1883f99cf39595312f832d6dac069edd21be48f29e78c8cf28167a1d7ba317d32ed6ac1f50bd61e23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7f8faf67c7e59a75a64cd69ecd68dac2

SHA1
7978b779f8f160b0b45e78f675e7beb1a2fb231e

SHA256
fd66a473e00a105c646fc79299dc5d6c2b702bee75e524a1812cfcd36d5f1d49

SHA512
ce33aec01e5fdea7e6b3e06dde92aefef75315de6b7397d3d35dbdf8c19aab9c35c576a0ff94d267f65aa5ca54d3f3b31d3b44efae20e2751d38ba62fd959e71

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
673fbc2baa9b8f8c8b68bfe074b9a581

SHA1
920ea8a7033a9bf6d7dcf51074a2e19548d13c7b

SHA256
471678d5806ddace6937d6b6144a94bdb9b3d48a97aaf9801668a218a83b9792

SHA512
c19177586ba0c4f5f5d269500ccc95671690dff9cac6d86c08ab4c27bf7dbffbe9b42356bc0c9c4ae0eb27bd4b986052e49cc7e39b37437303d1465909e04228

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
cfd84418e53ca1acfc90e9ac9fa44f28

SHA1
f0a56aaa8154fdbcab1d28b533859b2586bf63f0

SHA256
bf67ebcb215ef63dda5e0cc9982916cc7dbfae8f524dc804e3186889fe22f254

SHA512
f194c68b2bf9e27496abc2c9db211444d51a9aad4064869dfb8a20930370f3c9e9f0113cb86edc9868d56d343c8cf9637b29d71924abce0afff1ae762487523c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0df5e0e3358d99bb026dfb63b1ac2686

SHA1
87a9ec8e846f79b2d51a99323150f984d41d5990

SHA256
5e3d2c062ab821e3a38f13de15038f03383625e61666f1716fb01f25531c31b2

SHA512
e4967da7de3dd9539fbd278e43c2ba75ecfe5f62e9d12517bb3d4b817f23a163bd618b9449c6eb2eb1bd6f4af5d9af6f7397f638d5e9123c293e4ba0db2efb26

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
02d05f3c0172bb89a53b0f2cbec917eb

SHA1
541bc403428392a9d2a55f3f9620a63678c1a48a

SHA256
9f78583ce69068c616789288085a09b1d35f56b8bd9868aac1751aaa8e3b44db

SHA512
be627aa02b2a574d87b8e7fbd8f3063607005e79a38aee58a4c7e6b63397d0ee6f53800b77478dc16c8038467d723157f1ffec87705ed61ee2c15e17b28c3380

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0d059bbbe8c67db2822ade3c60785ff6

SHA1
8c34a290f0ecf94737b9f527f58c468bd0166e12

SHA256
949ffff452486ad2e8c855c2f4fa7caebb0fdca6f457510eb31dc3c7a5ac465c

SHA512
3daf49716e4cafc37953814eac09ee8f2eb78a8e0bcb7bb2a25b84dfd434e6c5342edcc34ca9a667654c071a2acad6ecdc48aa72aec779b3786924251d8c7724

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
8009594163ac8a2a00577e76b2c6d4ab

SHA1
5aeacd17a4e6280d8733da676dfa5cd61c31adf8

SHA256
28a0ff2bbd397ac14cf8c87f5798ec1b5397c533b601c141ff8b29176301a9c7

SHA512
943568c68cd4c8970e93866fd794440d94c10190c3a91c6014fe65a9142d9f89fae1cff7bbc3e30d261eb371ab8bc3831186b10b73ba69e055a074ca7a147e7c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9d0ebb0744f9b77e38b89660de72f92e

SHA1
8629afc0a68c964012a299ff89b788da2ada126a

SHA256
bde66b1895b6e65744f76d1a5826e9bfc599dc3f67b1747d0c6b34618fd6c885

SHA512
ecaae851fcab32bcf8b12b80f5c66d466823a5fa36c8ee499f4b8cc745a41612f516b539b62fd56560d90dfdb42a71c002b2915a785f60dc16085b91d17b73f4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
fc929edb4fef5769af58f11657eca67f

SHA1
40aebd8c2125fabaf535aeb36b4f417a007d6a6d

SHA256
919532bfbe031d53bcade5d90b6dd8c4f5d201a613a20a581f2c55cbc4e916ec

SHA512
888bc6ad92805b720968e9056fcf6cc40d478f2ea387f572ea804d160122ca8a2646ed92986b7ff283703aab0c09905a2a5c67a8fe38258fa4e5276daeacf36d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
886b27dbc3dd9488814e51a9ea1163dd

SHA1
db6ba8a8283f0e4c8518359579d50968c40a4075

SHA256
af2316537024e8e605e1e4586843d56ea843cd7c045547d5d82cf5ffb552b40c

SHA512
2385784b038d460bb28194201cac3762f2fe7955ddfa4288d8a36cbb0923145deeceb35a4e7aa1ea02f0ec0598b81929c7ee6a8512e2c1e95b140e643329149f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2ec2ed98788a66944b20f3ba987a0c1e

SHA1
3ebceaf59c08896295d97b3a16b414d51cfa51a4

SHA256
914ce0c0ea97e074f06bc2bef965f1808851b598c415257845ba0d7022949f74

SHA512
d8e0a8f9a14fb35e18dd334f5d9879ea3b0b864d6f61ae02000a68c1b2158a184994745b2eb49eccfb0a0c3216451b2c9a81205180421d7cde1afda69646e046

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
0cc7663029bbac35ef7675cfec6010a8

SHA1
492762dfe742b29487f76600541cbd66920ded67

SHA256
be84227afcf522df972af9931597b8691b5ea646e5274ac1591735bad6e93e0e

SHA512
fa0539708b991744ceae65718c03c33878587dbb66f549bba3afcc259ad0d2c78aae8f1b62b9e7a4fd1a2f1df1a4cd8a19674ddb6f65f0747d2a2d9464432662

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
38b8595a8a73c3f2634db17807f37510

SHA1
ec07655f8436b998e52f95178e55a3223119ecd2

SHA256
2c7405bb4cbdb8b5e6ccfdc7736deb287fd3886f14aa9a96c0de0262c2a7fdf8

SHA512
651bd8b3556780ba66b40e83ed818a05dbaed47c2f5ea0cb7309c57cb2444e85ae8daaf2ffe93162cb1fa6f62ddd6c257f18e4d9e19ad2aa12060a31b46e9429

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
467df823f9f146396c1cbe339f978f27

SHA1
ba22f69e5befc50019d1542e5d3b7d211e1b0d4c

SHA256
4bb7d24c01d9d980e61bd7dfab0c01e1b420b692bc3171b8db667d22b6951db5

SHA512
07aef94b694b6cef7f58dcfea53cdf72c7dc65f9dcb16a8b843248f261078894d383efb758b7f9798a36209e15dd80016581f6539d773530dc90a67f4ad168ef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
4b952c23a9dfa84078aff5f86cd199eb

SHA1
f517f51701d7df02a7a815bd03c938b9ea2ea7af

SHA256
1310a432f5261c64f40930b207ab67b0b02674dccb667074ae4ad7946baaeb48

SHA512
3800855a6284ac7ff7b74c58a39674b8aeb3dda807bbe5f1e1e686bbe2215e6eaf13cd2bf36697399a0c289f2f65d581456992b45497a7c77c591d507310059a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
13d50127ffe26ae7e218ac00b4a0be25

SHA1
e9410f3488304d86a857dcccf818fb75af63574c

SHA256
1acc2aceba7e2edef70651d30d99d9275a4061d48c00f62767decd97601bded9

SHA512
1fbe7bdf42fddd1db4216c5410a8b7fd0c3bfb391911e6558c9aae400378efcf11c4176989c27f42f292b977aab786fb84dcba7274e8d41ec897c51903d0c344

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
750cccd473e4df38fd79e170295d3ff1

SHA1
ffdd8033deb73e3c094410dda401111917e2c102

SHA256
c6f90290e5afd90a14fc4c29543b54c8c6f96b622dcbd8442a7849f9becff69d

SHA512
a698970155e30ccb4ad0e4de45056cb6018f412ec63a6da1d998ad0c7ed14649b68556decae0fe2b698cc21107ee98876b661c5b6037a4a09222fcc0e642c4b7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\362358e657d1dfde99ff7519c1e08c18\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
67eba90f5994953c8cae7e72d5ff9cbe

SHA1
c9f8867dfcc8d01258ed3add900fdec3fe29d4e2

SHA256
6614de9cf63907d54431a11d194c799ab234538e28d0506517e73e3927ad41f5

SHA512
eedfd599a1c3a1bc199b1c6adffae56b0888aae032516b785b582fb023440341e6fe0d431abc3b06eb4445ed159837fa7402cc65dbe49b0fa7aa19f204fddc68

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\442f465f25d68e3e2faab01dae0b1123\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
cc83d5ddaa9e812c76f033d524672b7a

SHA1
2a663d09eaa61add571f226879601d430a06625b

SHA256
287279708f6a50d2d335b29d7997cf1b501c08e5381785c847054d37eee03031

SHA512
a027637cd84ca9a3f9cf1e0f1cde7f1aa988f61fc6e440d43128faeb5c35b503d90ac2d8ddf6d34d330961b8fa0568267fd1bbf512f45dcc812f7b507537ff3d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b1286062b0f35fbc6e34e3ab37127ea2\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
9181a899c037ade3a230cb78531d1410

SHA1
465e2af771b100b464134293338e0fbdb2dd509d

SHA256
192304eeb2d2c5e068a1bd96b833a9f4f0539967ebdbcfbdbe21a6a866159d05

SHA512
4278b2ec090282025456533936f466ef19fb05aabab0cdaeb1dbf4dce70d42eff7d50172aee4f50b851eb2a1f60c4e56eb1af23489fa715dc72840a78daa53d5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
a6ab81f918a4b7be4351b482b6765c00

SHA1
70608edbbe394ff63abf67aa1c840297f1e94062

SHA256
03f0be7ce23c7b43e25b58917834b8e489bba1929e9adc0377bb6a6bc8f55987

SHA512
c624fcecc0907f20b4d7b5675544beb36214f61265067d03e6d24490554f405f67823ee6375f93a623639a37edde7c7f7847e32b2031c19a81f1a11c0a834153

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0dff134a40271183b8b8f6e652f89fc2

SHA1
a1e07cd9defec8ae912d08cad01bab3ba664877f

SHA256
33189d3be2518d9d99465307aa85cebfd07709186f3cb3fced170667fcace96f

SHA512
feadd49b1b68187914c72d9f984710afe6b55cd72a36112132dc96222d44e67b56d28b831dbfb0d8d065f6ac8b6a228a534d6064209488a1248d214b793fdd08

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
a0bf4310e774dfca2c428b757a1ba700

SHA1
ac8bcef89bbede41f87c834c0b54b88d8f2e36dc

SHA256
38f3d3e9d6091aa85b0637ee37aa9f0c50b1f0ca5be992f4859a888b9aab386e

SHA512
fe8eb44d8761e996873fbc3f1842359715d52bd0951fa1f4af189661123b592be3fb828c4128771386eff05fd1bd5c50256aba02593afbefbcfadc375af5e63a

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
180f6fc7c6223ee8295415bca403e204

SHA1
06c21c083ba830822f3876adca39f9dafe263190

SHA256
833e15962e219467dfd9612697a69d182d6dcae34c7fc89fece16daa4029fe7d

SHA512
dc12e3c80244f4033ba4594bfb1b6c6c4d8b5f8f24c23ea749678b5e4245eca3ac5c0207411da1f1cd91636b4683fb8b080e84f362b67599cc4660399685fbf0

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
13d8a5a34e243dec86917338bf6882ef

SHA1
bb1b1f99c39dc71b3ef2ffee6c389d527b0709db

SHA256
8c93969930304cf53a2f7cf72962c34d8091e4dda91e63542923061d6a33f396

SHA512
0cff9380868b19dea784d28bc5dce90330b3ba7d2f234cbb9d969fca4909ba54da78b0fb172291891826ac20a4137e3a7b2861b87496b157664fae6a0d22378b

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
f8eb4e9317fa0d7eb77aebccde7bab9d

SHA1
3d8f07d7c77edcc108e03c50dccbe918e9079aed

SHA256
f4907971c492287598e3d16dfefc5624ad23a8f0846075da55500607c588c027

SHA512
5678b8771c528c432298dc751838bb9a70bef4121d92b1249cc5d988f080740e031dcf4431f0c8f7c5baa8ba1b7db93d252970660977f9026dfb359a4f2d05eb

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c1f70b223772227dc717fd3914e4bfe5

SHA1
f9f9052d595164e3fb1d1f3e56cb4950e0869b5f

SHA256
26223d9851055754d44756f942c6a51c394455bf9eacb92e102c3a6e7e017551

SHA512
e6b2cafcd9d5a9e5f7bf9c44a07ad0519f26cfcb1900cb0198ad4f9e93940ae331615d81a5198d5241653a42a5d30688b46942b8758ba22cce4ec9d403ee6b89

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
da104a652eb478af7389e794e2ab36f9

SHA1
b77fea591980d94d0e4a05ab9b76ff7e36a4f89b

SHA256
ad57cadb31c4af73de9b9bbbf591a96eb3cf91fbbcd642d160eaf6bceccda36e

SHA512
a46132270742a41121f4f4b1be17b50291b872423c0326acdebd46ce831e78f2aa13e8f87dfe639f0e9768182801b74e54e9eea1659fc1210b150b202833fe22

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fdcae2ab5fca47cc554b2974ee929d99

SHA1
895f201df8d6d0a16a1fbd191f5655f94f1517e3

SHA256
6e8b4cba3ac879a50c5f12be9de95cec1d51f218153cae74f0c00ad60e54598e

SHA512
16851e5116c67a9026cf9a7170cc31a2c09ad8b209993ec00d5d23254923e961402a37752f6042e5259a510752a01b9370ad99a9aadb1e4c81222fc72ec281a0

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
68b58b029942996551427a14f8b8e1f2

SHA1
3c3824481ba6658a632191f71509fcee034f78fb

SHA256
4535af86470d4d8d5a29dbb23157afd6f80f7ac51a995db21bb42a65ad4b9617

SHA512
5f837de0c15c424b3c06043a65f3369b885f1f45b2af389f58c815607f9eb3296ccb80585532a6ab9d037495e6cd67aa3ea09e05093c58317e82dbfa1b1c9427

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
4c9c2a83565cba788b651108552ccadd

SHA1
0d2dbcdaaa9bfd69258d05643ba20c1cf336f0ee

SHA256
c66e3699a8d4c65ca6b3e3325e5e4deb0f4e3692160ed03fcc5a3bbd5c563414

SHA512
d241bd0218b942edb0d7aff73b482404099b2af45747f9c840208cd83af2fbb613b8810a98151cc624d44ecd642a683b8b8aec8b9b856c31d3a722304569f348

Download Submit
memory/828-158-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/828-283-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/928-143-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/928-266-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/928-699-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1100-123-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1100-262-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1100-917-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-332-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/1256-541-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/1264-310-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1264-184-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1512-406-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1512-547-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1568-986-0x0000000001D70000-0x0000000001DD6000-memory.dmp

Filesize
408KB

Download
memory/1568-977-0x0000000001D70000-0x0000000001DFC000-memory.dmp

Filesize
560KB

Download
memory/1568-981-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/1568-211-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1568-978-0x0000000001D70000-0x0000000001E14000-memory.dmp

Filesize
656KB

Download
memory/1568-77-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1568-82-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1568-976-0x0000000001D70000-0x0000000001D8A000-memory.dmp

Filesize
104KB

Download
memory/1568-982-0x0000000001D70000-0x0000000001DF8000-memory.dmp

Filesize
544KB

Download
memory/1568-974-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download
memory/1568-983-0x0000000001D70000-0x0000000001D94000-memory.dmp

Filesize
144KB

Download
memory/1568-975-0x0000000001D70000-0x0000000001D8E000-memory.dmp

Filesize
120KB

Download
memory/1568-980-0x0000000001D70000-0x0000000001E5C000-memory.dmp

Filesize
944KB

Download
memory/1568-979-0x0000000001FF0000-0x000000000218E000-memory.dmp

Filesize
1.6MB

Download
memory/1568-76-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1568-984-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/1568-985-0x0000000001D70000-0x0000000001D9A000-memory.dmp

Filesize
168KB

Download
memory/1604-288-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1604-203-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1640-92-0x0000000010000000-0x00000000101F4000-memory.dmp

Filesize
2.0MB

Download
memory/1640-62-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1640-55-0x0000000010000000-0x00000000101F4000-memory.dmp

Filesize
2.0MB

Download
memory/1640-56-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/1680-170-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/1680-813-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/1760-681-0x0000000001B10000-0x0000000001BCA000-memory.dmp

Filesize
744KB

Download
memory/1828-372-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-311-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1864-313-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1864-284-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-866-0x0000000100000000-0x0000000100211000-memory.dmp

Filesize
2.1MB

Download
memory/1868-395-0x0000000100000000-0x0000000100211000-memory.dmp

Filesize
2.1MB

Download
memory/1872-545-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1872-562-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1968-405-0x0000000001000000-0x00000000011E3000-memory.dmp

Filesize
1.9MB

Download
memory/1968-274-0x0000000001000000-0x00000000011E3000-memory.dmp

Filesize
1.9MB

Download
memory/1972-109-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1972-118-0x0000000100000000-0x00000001001E2000-memory.dmp

Filesize
1.9MB

Download
memory/1972-116-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2104-394-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2104-263-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2164-366-0x0000000100000000-0x00000001001FF000-memory.dmp

Filesize
2.0MB

Download
memory/2164-355-0x0000000000580000-0x000000000077F000-memory.dmp

Filesize
2.0MB

Download
memory/2164-247-0x0000000000580000-0x000000000077F000-memory.dmp

Filesize
2.0MB

Download
memory/2164-236-0x0000000100000000-0x00000001001FF000-memory.dmp

Filesize
2.0MB

Download
memory/2224-344-0x0000000100000000-0x0000000100261000-memory.dmp

Filesize
2.4MB

Download
memory/2224-658-0x0000000100000000-0x0000000100261000-memory.dmp

Filesize
2.4MB

Download
memory/2252-421-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-381-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2264-94-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2264-102-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2264-232-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2264-100-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/2292-207-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/2292-202-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/2408-70-0x0000000010000000-0x00000000101EC000-memory.dmp

Filesize
1.9MB

Download
memory/2408-39-0x0000000010000000-0x00000000101EC000-memory.dmp

Filesize
1.9MB

Download
memory/2408-45-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2408-40-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2412-157-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2412-36-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2412-28-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2412-27-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2484-0-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2484-75-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2484-7-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2484-5-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2484-6-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2516-21-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2516-22-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2516-115-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2516-13-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2536-878-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2536-425-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2600-876-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2600-417-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2684-212-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/2684-346-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/2840-251-0x000000002E000000-0x000000002E202000-memory.dmp

Filesize
2.0MB

Download
memory/2840-380-0x000000002E000000-0x000000002E202000-memory.dmp

Filesize
2.0MB

Download
memory/2904-356-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2904-706-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2928-817-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2928-369-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2984-424-0x0000000100000000-0x00000001001E2000-memory.dmp

Filesize
1.9MB

Download
memory/2984-299-0x0000000100000000-0x00000001001E2000-memory.dmp

Filesize
1.9MB

Download