8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c

Analysis

max time kernel
136s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
Size

1.8MB
MD5

cf4b7aee14535e94b05fc79b70d8000e
SHA1

29c7fcc450eb817b0718e99ab4ad95435034aec2
SHA256

8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c
SHA512

460e0957820bfa83ba2f6c37b6a02fbadbdea85a1ee438682c05fb556bb5f20a34887656ec768d2625698871aaadd1f122b2cdf2b4bd14c7b4a8da80f3261123
SSDEEP

49152:hKJ0WR7AFPyyiSruXKpk3WFDL9zxnSuF5HXMqN6aB:hKlBAFPydSS6W6X9lnTHcm

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exedllhost.exemaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
2628	alg.exe
1016	aspnet_state.exe
2944	mscorsvw.exe
2744	mscorsvw.exe
2680	mscorsvw.exe
2324	mscorsvw.exe
1104	ehRecvr.exe
1200	ehsched.exe
1476	elevation_service.exe
292	IEEtwCollector.exe
2868	dllhost.exe
2692	maintenanceservice.exe
1300	OSE.EXE
2796	OSPPSVC.EXE
1284	mscorsvw.exe
1964	mscorsvw.exe
2892	mscorsvw.exe
2560	mscorsvw.exe
2992	mscorsvw.exe
672	mscorsvw.exe
1336	mscorsvw.exe
2156	mscorsvw.exe
2924	mscorsvw.exe
2008	mscorsvw.exe
2504	mscorsvw.exe
2500	mscorsvw.exe
732	mscorsvw.exe
2668	mscorsvw.exe
852	mscorsvw.exe
2480	mscorsvw.exe
1640	mscorsvw.exe
2248	mscorsvw.exe
2180	mscorsvw.exe
2352	mscorsvw.exe
2860	mscorsvw.exe
2696	mscorsvw.exe
936	mscorsvw.exe
1292	mscorsvw.exe
972	mscorsvw.exe
2208	msdtc.exe
1604	msiexec.exe
2572	perfhost.exe
2892	locator.exe
2276	snmptrap.exe
764	vds.exe
1408	vssvc.exe
2456	wbengine.exe
2816	WmiApSrv.exe
1096	wmpnetwk.exe
2004	SearchIndexer.exe
432	mscorsvw.exe
928	mscorsvw.exe
1188	mscorsvw.exe
1624	mscorsvw.exe
2248	mscorsvw.exe
860	mscorsvw.exe
2784	mscorsvw.exe
912	mscorsvw.exe
1040	mscorsvw.exe
1468	mscorsvw.exe
2312	mscorsvw.exe
1524	mscorsvw.exe
1076	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
464
464
464
464
464
464
464
1604	msiexec.exe
464
464
464
464
464
748
2248	mscorsvw.exe
2248	mscorsvw.exe
2784	mscorsvw.exe
2784	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
1076	mscorsvw.exe
1076	mscorsvw.exe
1464	mscorsvw.exe
1464	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
704	mscorsvw.exe
704	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1472	mscorsvw.exe
1472	mscorsvw.exe
272	mscorsvw.exe
272	mscorsvw.exe
1684	mscorsvw.exe
1684	mscorsvw.exe
1900	mscorsvw.exe
1900	mscorsvw.exe
2616	mscorsvw.exe
2616	mscorsvw.exe
1084	mscorsvw.exe
1084	mscorsvw.exe
924	mscorsvw.exe
924	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

Processes:

alg.exeaspnet_state.exe8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exemsdtc.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b589663bae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe

Drops file in Program Files directory 64 IoCs

Processes:

8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exealg.exeaspnet_state.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_sk.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_gu.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_sw.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_iw.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_sr.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_bn.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\GoogleUpdateCore.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_ar.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_pl.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_uk.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_de.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6DD0.tmp\goopdateres_tr.dll	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exe8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BDA.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4837.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2404.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D1463BAE-D20A-4652-A81A-03AB12F3E874}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exeehRec.exewmpnetwk.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exeSearchFilterHost.exeehRecvr.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080e67a61d9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ehRec.exeaspnet_state.exe

pid process

1132 ehRec.exe
1016 aspnet_state.exe
1016 aspnet_state.exe
1016 aspnet_state.exe
1016 aspnet_state.exe
1016 aspnet_state.exe

pid	process
1132	ehRec.exe
1016	aspnet_state.exe
1016	aspnet_state.exe
1016	aspnet_state.exe
1016	aspnet_state.exe
1016	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exeaspnet_state.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3024	8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeDebugPrivilege	1132	ehRec.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeDebugPrivilege	2628	alg.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1016	aspnet_state.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeSecurityPrivilege	1604	msiexec.exe
Token: SeBackupPrivilege	1408	vssvc.exe
Token: SeRestorePrivilege	1408	vssvc.exe
Token: SeAuditPrivilege	1408	vssvc.exe
Token: SeBackupPrivilege	2456	wbengine.exe
Token: SeRestorePrivilege	2456	wbengine.exe
Token: SeSecurityPrivilege	2456	wbengine.exe
Token: SeDebugPrivilege	1016	aspnet_state.exe
Token: SeManageVolumePrivilege	2004	SearchIndexer.exe
Token: 33	2004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2004	SearchIndexer.exe
Token: 33	1096	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1096	wmpnetwk.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

2168 EhTray.exe
2168 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

2168 EhTray.exe
2168 EhTray.exe

pid	process
2168	EhTray.exe
2168	EhTray.exe

pid	process
2168	EhTray.exe
2168	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2392	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe
2124	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1284	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1964	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1964	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1964	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1964	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2892	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2892	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2892	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2892	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2560	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2560	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2560	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2560	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2992	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2992	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2992	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2992	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 672	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 672	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 672	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 672	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1336	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1336	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1336	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 1336	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2156	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2156	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2156	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2156	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2924	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2924	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2924	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2924	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2008	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2008	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2008	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2008	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2504	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2504	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2504	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2504	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2500	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2500	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2500	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2500	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 732	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 732	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 732	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 732	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2668	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2668	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2668	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2668	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 852	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 852	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 852	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 852	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2480	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2480	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2480	2680	mscorsvw.exe	mscorsvw.exe
PID 2680 wrote to memory of 2480	2680	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe
"C:\Users\Admin\AppData\Local\Temp\8ff82ae0927e754a8c895b4a884ad5e7ff967d322ddff54fc81f906d7bc8782c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 248 -NGENProcess 1e8 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 274 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 284 -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 25c -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 28c -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 24c -Pipe 220 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1c4 -NGENProcess 258 -Pipe 224 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 258 -NGENProcess 244 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2ac -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 24c -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 244 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 288 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 284 -NGENProcess 2ac -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 268 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 284 -Pipe 29c -Comment "NGen Worker Process"
2⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a8 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 284 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 284 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2c0 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 268 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2d0 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e0 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e0 -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 304 -NGENProcess 2f0 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f0 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 328 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f0 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 328 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f0 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 328 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 1e0 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2f0 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 328 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 1e0 -Pipe 358 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2f0 -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 328 -Pipe 360 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 1e0 -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 1e0 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 384 -NGENProcess 328 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
2⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 328 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 328 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 368 -NGENProcess 398 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3a8 -NGENProcess 328 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 328 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 3b0 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 368 -Comment "NGen Worker Process"
2⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b4 -NGENProcess 398 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:972

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:292

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1300

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
2⤵
- Modifies data under HKEY_USERS
PID:2960

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
a5113586e64aa3c1f4522e3f07c1fb90

SHA1
3f9acba277d0f285dd48c0f9e957fcb9c05d2963

SHA256
6046c5a8abc21e5f979a771528f2f06ec820dc87238ef27f326031936014b5e2

SHA512
c39c7caa0b1a792fd31c3a06f50646b13e3fed53a5bea7dfc1febc6ab4c8fa5315a8fc12cb49fa1220919173a7854f9a4a363a1bc98fe093b35d189ce44716d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
a31433387ad1cd6a2b06714d9b2e9f5c

SHA1
ab6c12471d0a1e90cac07deb41bd698dfdbed7af

SHA256
0f7375c1933bfbc517858376962bf374b33ff8fe4bf2568bbbd878ec7c9193a8

SHA512
24a459d923779b50bb858b87ea6640b9b72ea41410b65c967bf28ff8dc4b9b39fe008337920bdc24ff9588dadb07431b85ecc07df4ebdfd631641ad1f378db5a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
fd50c1b4a777846bae5ce6c5710484dd

SHA1
5eff3e7ccf7680219ac464b55886ed14bbbb1133

SHA256
1cc2dd6fa5cb6962fb1741e61d5df6dcb4f4e8d630f814123d5bd3cbc53ce7c2

SHA512
a13a5ce3f28df04c908e4c6b86d065f212f0e09a6e69bee46782298ae4b8da45c5361171840e01777d31d3fbbe744880757262006a2dd6edd1ed1eb11d79e31c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
6122d876a88e34f6a6822b7906686d21

SHA1
78c32cb7875f209391b528d50740f1f50ea9109f

SHA256
712d28424382a1794c11af06ea9138ef239fb2650e71ffee217edbfd6af0fc92

SHA512
776b3d149d4861549bf9a0283c678a5cb2c8e97dc66953fabfdd819c305c11ea26c55357c88910b113c7ec9a557f770dcf139340cd55d9648cba08caa0c62b91

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
96708cb41064822b44c5572b9b25017c

SHA1
7185b036f5f451660706e887222ee7a52144ba80

SHA256
9e62fe785ddc26182c2ff54cfc35973e01ac1ed224257095e376213eb921e5e9

SHA512
29d4aef165a2ec8cbea13ea00e8f1d34ce0c10f11872c7d54807f00bf8e138c888685c8ed408251a923101a1ac3a75df6f51322ae9aa1a49c4555733364b87c9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
42bdf0e0ee5a611c69361cc2bbd8da02

SHA1
c2280c6a9ed627fed0c118cdcb53199a25a46229

SHA256
7368a690189aa0d7eb1f41b4b50b35235c8dd64414769fe8436747672e36d4bf

SHA512
d8bab89320ce05531a94dfd60382711b4eada205c91d7f4faa6321fa9a1844c0d9591504cb6be78df8494b7f4f929e897774bbea7a01fc1a850fd62d113eabb1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
550f7c7a9d3776f46d72e67e0ded0282

SHA1
fc198b9b00ed88d8485d9c78a0043689b061eb5b

SHA256
59babd8e775f84888ceee7c1bcb7b7e30875a006bfee8db995ae6c8c24f11f31

SHA512
737277f03c5929f6be50e72b1fe748dddd7b861dcf9bbd5d10f41e0f949792d94aa9a4d30d1dd28bf016b01aa3307fa2e8a4b8d4f11742fad71aedc2930f101e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
11e17d0d9a22b6374ee1d267eacebacf

SHA1
fa02adbe3e2007f4ccc918d555f6cb37716900bc

SHA256
1382a04a822996d87ddbc31d4f1b4420b1b7d557a6c81c3cea1393137dcd38a6

SHA512
70cc5a698815f602540610af050665b7ad2de6c3d85f742d760377d3e59209df9271be7f1eccf58af5f2a37d9c634e6cd4d594152415f7901dd5be8f5f269455

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.2MB

MD5
0f6e3f07485c6603a4998b90a24189e6

SHA1
508c97b021e700c6ce0f8c6c2ee1977a427705fb

SHA256
7c48833160658d30c0e26d5660bcdec6c2375564f4f52598f655da061dc1cc3e

SHA512
3b94d960230773e4fa36fc7072c75c803c4eaa3b5fa9f80854532c857a632a94df3a310be2aee7527b096c7a6b985a4db652809955519bea12875ef15ed5273c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
a266f66c6eb39f6aba2b867521de2d9b

SHA1
e45f77e955831294820431199a7375c29c03fc32

SHA256
a46b4fc677245c990e02f5a38ebb9300a79a51d1aec9c3885fb94cc42c3887d9

SHA512
cfcfbeb337e26b978a3b46d2985c9fafff3e7fe432842432b6f31a494ddb3bfaa901d351ef54c6e0b30a94bddd7729ca93f9ab7c4cfe83ab72c25c5b5c7c6633

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
c2708ff061ceebe71de2e2a2ad7e6739

SHA1
7e9bbf4c81a614e93976275b317878badba327d4

SHA256
d8b77316d644fe7b74d1162d0bc6abe0c15d21c11e13b1cf929dacce22122b91

SHA512
78c6d9d7b9a437a472ea6c26739515fd3b0f16c2149b423ccf951a1370e9bbc083ec8b449ad5a9ae8fd7a3a64002d03a202dcdde77d09ffe5743f774f5c31ad1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
7d39fc2809bab723292e5f3057e62736

SHA1
811202580953cc6d71385fd403453406c0f6adc1

SHA256
50c8e2736a49b3c76be6309d56ddf7069d989042a99266ef3e5d2b555fa3c254

SHA512
fd64979cbd284c295b60fdaa2410b4e8dd7d80872880b9f1b944be10a2f5c3a10f3d913f16c0f17d7fb78d8e3530dd0992a2511541ba05d8771a7b1d6ee19228

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
7db95dc1bd1e79cf4f544a2e9f46a2ce

SHA1
fadc782ed38caccda08c3e0eeddddf589766dfe4

SHA256
4a4aa97319b7e56391a54d38a3f0ea1b34e32b7d38052616fea3ff41077e4895

SHA512
5ddddfdac7b107feea2e0787578015670a4fe9988fc40bf1292c5dcd1e39ddfc58d12dfac6c8da44ad88b5063fb541fb6211fd2c6f1188d841a2eaaa8c0cf246

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
906d1f8cdf415abd665f9ee31aeadbb3

SHA1
52c0ccf25ea62901c2381822c6303d0a3f053d7d

SHA256
5478bbcb4c8aa21386aad4b1d53ab4f3c5dfa89daac8f17ef0783cd38e85746b

SHA512
ce68d4c3ddbe37ca910d65eed80149c76e41142e3e00da236906d0d1cedc11bc67dc9cdb6eb23aed56776aafc17c2ecd9ca045ec1adfe030ebf610eb659a9515

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1a0aed7b73e49f48795acb5bd2d527b2\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
0e7b533c67ee36386371f714e9e1a452

SHA1
7008d3c622f8af7d87978af2d5eba4b48723eda3

SHA256
b9581749bc67e59029ff8e562511067aaee91424224624542efb9d6aa0c739a7

SHA512
fb5c9747863fe7a9ed85292d2d6efa24a54af549659653922bbefba1a38597bb02169109bc921c0300aa1295daa10250dfbd3d1ecfa39dcb3f20ae6bcee05ef3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\22e16d08a5f74537ada8098b0350953c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
551d61afebad9871c626272392793e15

SHA1
283071681a45d41e8e84170d85d38b04b6c6e78a

SHA256
d54589f9c786188d6568fff8c04a66260ffd054e47adcadcd57bc252b289074e

SHA512
0e7f3ac19ff29ebb6e49c77dd35f9479386401f3e26ff3b940047c06e1d536324c2739c4d6c02e3ed37b5f88f4254241da1222239d5ee0aa8b97b94f13be8caf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\75107a7292a3ca19d7754548df483d09\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
a4ab985b68f056ed0edf770dcc322e81

SHA1
036cd93454832963ffbbbea1d66e4bceaa1a49f3

SHA256
bbc29409cb8514b6710ede01df6a3aa82472c586f487f2557f96568751397758

SHA512
ba4b4e474cf9e23b07dfb25a97524411d7246296f3e43d0b129f720e2a858ce02de2c12faff581b00469d3ef78f21bf83353f4e04f5f4ab1fee324a51db2d9af

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
f8bdd0e78f63556289814bf38e27a766

SHA1
99235272b7ae58c853b2fa0250d9eb5e360c1569

SHA256
19583ab9d0c4ccc48000cfdb13b94aa7f4226ee5bcf8d30771757f61f55a41a0

SHA512
9095b7d72b16d97d6409956a9f51247790a2083f48c320cdb210831a7c061f4b708381d98cff5f06465289d0c9372247a3484ef269e58b5747e2a2f2e94988e1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.2MB

MD5
01aabfb0665f39de4e96eb7f6a7de1cc

SHA1
64282d9cd9fd569370372e033f6d35a137cf0cad

SHA256
5a9bbd649ba9b4dbc387c36c1417c34739ab187a8eda9a55c77d83ae0174221c

SHA512
a223943a8f9832e4982547b58e7d88bfa1d8725f858ede14d6a61f03d8eebffa99dbc5b8da28078102d4dd86c94aefb3706d80b3f4e51f82f2f3a1dadb02253f

Download Submit
\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
1b64c5527bb0aa2178061f4e3e6d6e04

SHA1
136cf09a8387afb3a0aa5edb60fa46a15b60dec9

SHA256
007ca4cfca4af091bd84017ef904219617dfb5ba686d181d0e0278330a500a98

SHA512
fc1c9ae8cdfb42e6f5bb0a43ec949d2751256c55ed80d6ae8b2121e45a53754b8c52b2e7f06b940eb220be9fc2b3b4325177c9bde22930407c46ddb52f9d0746

Download Submit
\Windows\System32\dllhost.exe
Filesize
1.2MB

MD5
3825f999345d3ecf016645f1f47a7359

SHA1
9b50acc53c60a1a3bb66eb0f4e1a402a310cc905

SHA256
49bd812cddfd24336625762d4714fe1a85cfb1d919ac06f0eb4b336d24e398ae

SHA512
571d6d276ff8e6fc1f76eebe14f7951b2aadccb1db3a17c5079a759cfa1841fec543e2a42e26222355ca5df6fac816824a2c1466e4bb148d72ba5f0ab29e0000

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.3MB

MD5
391ee7e347faa110e7965a2e1ead25cf

SHA1
509392dd106f788634784f161b1b138fe81fa263

SHA256
584a51e4c3dd8ffb7cb0aaf033756bd9be62f77f371deb3b260d1b533b967a10

SHA512
0488bf51ca247df523a594ea12c74dcd32eac8a906e32d82592682332090a8184c665006e55c178d54fc408f5ebc78ff36fb31acc9cc54c57bba6214a4b94385

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
25a836ba442a46f34279eb754d307942

SHA1
5b802348b26ce5ceabd6dc9a81722ea81af9ec5a

SHA256
ce1c2b3527660d678d308ccc17fe5715c247549f87ed26d50addc9a946d7b60d

SHA512
d0897dd58d97614ecf3c67c2a57cf8438e9338941f7870e0d8acdba9096cbf6c0a9c33a1e37b892847e59781cff505e99d9e20dd8d71ea58bfa1b10348f49098

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.3MB

MD5
1f40c43004a8a0f40d245f077d76b906

SHA1
3c63b244bc3ac0671babdda47ebdfdbe8a352a40

SHA256
9a018c17f8181c8044542fca8a1cc8ab93a74762d9ffc6efa9ad9335ce42cab5

SHA512
36848afa32f0abc665f4d3e9d66210586ad5b85b427c92090e4432981058f5ca55ff43969c609f8303d3df614d5d3bdd8145929398b1dc0a2d89d3ff44cacfaf

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
f45ad02c5de743cc8123f559efb2a1c2

SHA1
4f641076249289dd97448924bca5c9a11f3e737d

SHA256
121d54cd6b14e96f92435aa3dacf9b16f97f2599d218c0ec307e252248903d9b

SHA512
bad9e13eb0bfe0a0dcf74e2b8f475e92104a7eac4ce52532631af3255b31d4687fe83d30a13c4288fd2eb252e441f47b93d2b874f1d44d831c31909baca2e7bd

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
04ebcb3316aa3ec2d7eae0615278f24b

SHA1
51845529fd6a1970b5e97311be2bdeb1953d402e

SHA256
7e2c36d863b0d08db8dbef12dedc0e2db278216844f9b981dd454e9490f04153

SHA512
7ee36bb4a5a7bfcc46e8c275c363b2177a2a012ba4dfce518baa737a6ccfec9377b8f6012fbe258a1215c7d746e1613152dc81f8f8b23e8ce891c65d7b20b1f1

Download Submit
memory/292-206-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/292-809-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/292-486-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/672-501-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/672-523-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/732-642-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/732-626-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/764-875-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/852-668-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/852-662-0x0000000003F40000-0x0000000003FFA000-memory.dmp

Filesize
744KB

Download
memory/936-774-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/972-798-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/972-804-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1016-95-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1016-294-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1016-96-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1016-104-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1104-183-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1104-164-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1104-182-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1104-813-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1104-390-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1104-158-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1104-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-180-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1200-769-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1200-424-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/1200-172-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1200-178-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1284-397-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1284-361-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1292-786-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1292-801-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1300-531-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1300-318-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1336-545-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1336-514-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1408-891-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1476-194-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1476-186-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1476-192-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1476-450-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1604-838-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1604-840-0x0000000000720000-0x0000000000911000-memory.dmp

Filesize
1.9MB

Download
memory/1604-1020-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/1604-1021-0x0000000000720000-0x0000000000911000-memory.dmp

Filesize
1.9MB

Download
memory/1640-690-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1640-696-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1964-431-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1964-393-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2008-595-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2008-575-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2156-560-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2180-735-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2208-1014-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2208-823-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2248-723-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2276-873-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/2324-360-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2324-147-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2324-148-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2324-141-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2352-746-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2352-732-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2456-903-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2480-676-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2480-693-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2500-607-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2500-614-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2504-594-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2504-598-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2560-489-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2560-452-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2572-852-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/2628-19-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2628-171-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2628-25-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2628-13-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2668-657-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2680-125-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2680-131-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2680-345-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2680-126-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2680-1024-0x00000000013C0000-0x00000000013CA000-memory.dmp

Filesize
40KB

Download
memory/2680-1025-0x00000000013C0000-0x00000000013DE000-memory.dmp

Filesize
120KB

Download
memory/2692-311-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2692-306-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2696-753-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2696-766-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2744-116-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2744-151-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2796-331-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2796-561-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2816-913-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/2860-758-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2868-492-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2868-291-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2892-456-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2892-429-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2892-861-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2924-567-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2924-562-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2944-107-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2944-135-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2992-488-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2992-504-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3024-157-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3024-280-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3024-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3024-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/3024-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/3024-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download