834014ee580ec086a4d12f0c13ab3a4a580e27bcde1336d5ab161e3af22dc6ed

Analysis

max time kernel
142s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db4ef7ff63a94a7c3e11972e25e63add.exe
Size

1.8MB
MD5

db4ef7ff63a94a7c3e11972e25e63add
SHA1

3e8504f1358a28adf2746f7f1878c5b37c555f0d
SHA256

834014ee580ec086a4d12f0c13ab3a4a580e27bcde1336d5ab161e3af22dc6ed
SHA512

c15c5b6c383f947d31e1d9239bd0419a090731ef27db386de0173075c1ed32dd4e69ca0a1db6ff559baecdbba1146ab5e413c13741d79691b8548fdef3101320
SSDEEP

49152:OE19+ApwXk1QE1RzsEQPaxHNf/i3da1YS6ozB:z93wXmoKH/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2460	alg.exe
2604	aspnet_state.exe
2464	mscorsvw.exe
2988	mscorsvw.exe
1060	mscorsvw.exe
1084	mscorsvw.exe
2172	dllhost.exe
1744	ehRecvr.exe
2276	ehsched.exe
1308	elevation_service.exe
2996	IEEtwCollector.exe
2940	GROOVE.EXE
1004	maintenanceservice.exe
2292	msdtc.exe
2492	msiexec.exe
2784	OSE.EXE
2168	OSPPSVC.EXE
2040	mscorsvw.exe
628	perfhost.exe
1748	locator.exe
2268	snmptrap.exe
1000	vds.exe
1588	vssvc.exe
2632	mscorsvw.exe
2156	mscorsvw.exe
3020	wbengine.exe
1824	WmiApSrv.exe
1372	wmpnetwk.exe
1132	SearchIndexer.exe
1760	mscorsvw.exe
620	mscorsvw.exe
2392	mscorsvw.exe
1428	mscorsvw.exe
940	mscorsvw.exe
2112	mscorsvw.exe
2512	mscorsvw.exe
1868	mscorsvw.exe
2560	mscorsvw.exe
3048	mscorsvw.exe
1480	mscorsvw.exe
2196	mscorsvw.exe
3040	mscorsvw.exe
1236	mscorsvw.exe
1108	mscorsvw.exe
2736	mscorsvw.exe
1868	mscorsvw.exe
2424	mscorsvw.exe
1460	mscorsvw.exe
2004	mscorsvw.exe
1428	mscorsvw.exe
2856	mscorsvw.exe
3016	mscorsvw.exe
1808	mscorsvw.exe
620	mscorsvw.exe
1792	mscorsvw.exe
3048	mscorsvw.exe
572	mscorsvw.exe
2392	mscorsvw.exe
1796	mscorsvw.exe
920	mscorsvw.exe
908	mscorsvw.exe
1704	mscorsvw.exe
2424	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2492	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
760	Process not Found
3048	mscorsvw.exe
3048	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
1184	mscorsvw.exe
1184	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
488	mscorsvw.exe
488	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
2056	mscorsvw.exe
2056	mscorsvw.exe
2632	mscorsvw.exe
2632	mscorsvw.exe
1408	mscorsvw.exe
1408	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
1920	mscorsvw.exe
1920	mscorsvw.exe
1356	mscorsvw.exe
1356	mscorsvw.exe
3016	mscorsvw.exe
3016	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\System32\vds.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\locator.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\System32\alg.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\vssvc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\wbengine.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2c6a6c8dae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\System32\msdtc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	db4ef7ff63a94a7c3e11972e25e63add.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6864.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6539.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CD0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E6C.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56D7.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP59D3.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
748	ehRec.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe
2204	db4ef7ff63a94a7c3e11972e25e63add.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	db4ef7ff63a94a7c3e11972e25e63add.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2204	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: 33	3012	EhTray.exe
Token: SeIncBasePriorityPrivilege	3012	EhTray.exe
Token: SeDebugPrivilege	748	ehRec.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeSecurityPrivilege	2492	msiexec.exe
Token: 33	3012	EhTray.exe
Token: SeIncBasePriorityPrivilege	3012	EhTray.exe
Token: SeBackupPrivilege	1588	vssvc.exe
Token: SeRestorePrivilege	1588	vssvc.exe
Token: SeAuditPrivilege	1588	vssvc.exe
Token: SeBackupPrivilege	3020	wbengine.exe
Token: SeRestorePrivilege	3020	wbengine.exe
Token: SeSecurityPrivilege	3020	wbengine.exe
Token: 33	1372	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1372	wmpnetwk.exe
Token: SeManageVolumePrivilege	1132	SearchIndexer.exe
Token: 33	1132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1132	SearchIndexer.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeDebugPrivilege	2204	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	2204	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	2204	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	2204	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	2204	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeDebugPrivilege	2460	alg.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe
Token: SeShutdownPrivilege	1084	mscorsvw.exe
Token: SeShutdownPrivilege	1060	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3012	EhTray.exe
3012	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3012	EhTray.exe
3012	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2692	SearchProtocolHost.exe
2692	SearchProtocolHost.exe
2692	SearchProtocolHost.exe
2692	SearchProtocolHost.exe
2692	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2692	SearchProtocolHost.exe
2612	SearchProtocolHost.exe
2612	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2040	1060	mscorsvw.exe	47
PID 1060 wrote to memory of 2040	1060	mscorsvw.exe	47
PID 1060 wrote to memory of 2040	1060	mscorsvw.exe	47
PID 1060 wrote to memory of 2040	1060	mscorsvw.exe	47
PID 1060 wrote to memory of 2632	1060	mscorsvw.exe	53
PID 1060 wrote to memory of 2632	1060	mscorsvw.exe	53
PID 1060 wrote to memory of 2632	1060	mscorsvw.exe	53
PID 1060 wrote to memory of 2632	1060	mscorsvw.exe	53
PID 1060 wrote to memory of 2156	1060	mscorsvw.exe	54
PID 1060 wrote to memory of 2156	1060	mscorsvw.exe	54
PID 1060 wrote to memory of 2156	1060	mscorsvw.exe	54
PID 1060 wrote to memory of 2156	1060	mscorsvw.exe	54
PID 1060 wrote to memory of 1760	1060	mscorsvw.exe	61
PID 1060 wrote to memory of 1760	1060	mscorsvw.exe	61
PID 1060 wrote to memory of 1760	1060	mscorsvw.exe	61
PID 1060 wrote to memory of 1760	1060	mscorsvw.exe	61
PID 1060 wrote to memory of 620	1060	mscorsvw.exe	62
PID 1060 wrote to memory of 620	1060	mscorsvw.exe	62
PID 1060 wrote to memory of 620	1060	mscorsvw.exe	62
PID 1060 wrote to memory of 620	1060	mscorsvw.exe	62
PID 1060 wrote to memory of 2392	1060	mscorsvw.exe	63
PID 1060 wrote to memory of 2392	1060	mscorsvw.exe	63
PID 1060 wrote to memory of 2392	1060	mscorsvw.exe	63
PID 1060 wrote to memory of 2392	1060	mscorsvw.exe	63
PID 1132 wrote to memory of 2692	1132	SearchIndexer.exe	64
PID 1132 wrote to memory of 2692	1132	SearchIndexer.exe	64
PID 1132 wrote to memory of 2692	1132	SearchIndexer.exe	64
PID 1132 wrote to memory of 1852	1132	SearchIndexer.exe	65
PID 1132 wrote to memory of 1852	1132	SearchIndexer.exe	65
PID 1132 wrote to memory of 1852	1132	SearchIndexer.exe	65
PID 1060 wrote to memory of 1428	1060	mscorsvw.exe	84
PID 1060 wrote to memory of 1428	1060	mscorsvw.exe	84
PID 1060 wrote to memory of 1428	1060	mscorsvw.exe	84
PID 1060 wrote to memory of 1428	1060	mscorsvw.exe	84
PID 1060 wrote to memory of 940	1060	mscorsvw.exe	67
PID 1060 wrote to memory of 940	1060	mscorsvw.exe	67
PID 1060 wrote to memory of 940	1060	mscorsvw.exe	67
PID 1060 wrote to memory of 940	1060	mscorsvw.exe	67
PID 1060 wrote to memory of 2112	1060	mscorsvw.exe	68
PID 1060 wrote to memory of 2112	1060	mscorsvw.exe	68
PID 1060 wrote to memory of 2112	1060	mscorsvw.exe	68
PID 1060 wrote to memory of 2112	1060	mscorsvw.exe	68
PID 1060 wrote to memory of 2512	1060	mscorsvw.exe	69
PID 1060 wrote to memory of 2512	1060	mscorsvw.exe	69
PID 1060 wrote to memory of 2512	1060	mscorsvw.exe	69
PID 1060 wrote to memory of 2512	1060	mscorsvw.exe	69
PID 1060 wrote to memory of 1868	1060	mscorsvw.exe	80
PID 1060 wrote to memory of 1868	1060	mscorsvw.exe	80
PID 1060 wrote to memory of 1868	1060	mscorsvw.exe	80
PID 1060 wrote to memory of 1868	1060	mscorsvw.exe	80
PID 1060 wrote to memory of 2560	1060	mscorsvw.exe	71
PID 1060 wrote to memory of 2560	1060	mscorsvw.exe	71
PID 1060 wrote to memory of 2560	1060	mscorsvw.exe	71
PID 1060 wrote to memory of 2560	1060	mscorsvw.exe	71
PID 1060 wrote to memory of 3048	1060	mscorsvw.exe	72
PID 1060 wrote to memory of 3048	1060	mscorsvw.exe	72
PID 1060 wrote to memory of 3048	1060	mscorsvw.exe	72
PID 1060 wrote to memory of 3048	1060	mscorsvw.exe	72
PID 1060 wrote to memory of 1480	1060	mscorsvw.exe	73
PID 1060 wrote to memory of 1480	1060	mscorsvw.exe	73
PID 1060 wrote to memory of 1480	1060	mscorsvw.exe	73
PID 1060 wrote to memory of 1480	1060	mscorsvw.exe	73
PID 1060 wrote to memory of 2196	1060	mscorsvw.exe	74
PID 1060 wrote to memory of 2196	1060	mscorsvw.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\db4ef7ff63a94a7c3e11972e25e63add.exe
"C:\Users\Admin\AppData\Local\Temp\db4ef7ff63a94a7c3e11972e25e63add.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 25c -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1ec -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 26c -NGENProcess 1e4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 250 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e4 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 27c -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1dc -NGENProcess 1ec -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1dc -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 1dc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 290 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 264 -NGENProcess 250 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 2ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 250 -NGENProcess 2b0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 224 -NGENProcess 1fc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 248 -NGENProcess 1ec -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 1ec -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ec -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 228 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 228 -NGENProcess 258 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 2a8 -NGENProcess 1ec -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1ec -NGENProcess 1d4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2b4 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 258 -NGENProcess 2a8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 1d4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 2b4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2b4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b4 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 27c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 27c -NGENProcess 290 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2c0 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a4 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c8 -NGENProcess 290 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 290 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 30c -NGENProcess 310 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 300 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 224 -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2e8 -NGENProcess 120 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 328 -NGENProcess 310 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 120 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 120 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 310 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 120 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 310 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 120 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 310 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 120 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 310 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 318 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 120 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 310 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 318 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 318 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 37c -NGENProcess 310 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 374 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 310 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 374 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 310 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 360 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 360 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 384 -NGENProcess 398 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 596 600 608 65536 604
  2⤵
  - Modifies data under HKEY_USERS
  PID:1852
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
63d044d3087ec34b15b958dad148b199

SHA1
3b9c3fb930c4cd0753146e1b3b04c0a238475491

SHA256
3f7f365939ba537deba2fe0bdf570f303bc635bff8ee99f9bb398796e0e4ee26

SHA512
13130f8522a75844009a71a06cf3e7532641457628f78a0d029a705eaccfc4695f911574f632438387be4661d30da2833dafccabc5e44883f3ba1bc9e76c8af5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bafed8884b755c5604d98c90a536b25c

SHA1
797e0e58cdf2b726274e9b5eccc20698de42e04c

SHA256
6098f0eb21cc417341d1d3c871d4afbb46d4ea53619df55904f369ef0109c5d3

SHA512
50d89fa38b1a7c40522b43cc734b90aa5b2002964cc9cd46ef25abeebc01f92a9a20930fc97064ca587cbf8ff0aeadbb32ea8f80af15a50796fa0df2e3e98997

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
81e9ee8519a60bec61555da53902afe9

SHA1
2b662653a8c21d039c78a61db781a4a42c4fda62

SHA256
ed5aee6476ad31dea41f8d81897a9a4ec50eb2945335b92d27d7057c7e78b2a9

SHA512
1824fd87464ef98bb1bfb3f5bf8cabf52c1cb9bdb1d2f268d498507191cba67c81515071f16b18e6880b33373004f0c35f7c408bf735152f579e6f9f2feec1fb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
892a81168e85fc65e514c35a7baee7b0

SHA1
56a8b63de60cc98a9cfa81fa0d8c9bfead7f5f8d

SHA256
091dd5e267789cbf8bd48feb408f93bd690b93e016721350545bc50aefc65308

SHA512
dd7dc72e6c66754cf9b65364b9def2d180289d3161aaf3cb297a1bfc12cdd58515e160605003dfadc7b66a05d0a456f9a7528efd55e7223f834be39a8baed99f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
93dc8502e9175c46d522c941cb5e73c0

SHA1
e7efbbe8aaa3a46ca1b301d405384ee6a8696551

SHA256
d4c39a3ecd8b05be11046f63b526ec71c5f55cee29562e9c626fd3cf40017d03

SHA512
9a25e1140293bb1c1c43f0e687db5cf6847fcf6bfe10cc76619228e5e752725c329e575a42675e51a901c4263bd1cf213be8366408a1d80c24216e11a1b90f00

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
de5aae82d0aadf82851a0bbae10acf03

SHA1
15fee24c924627c455a3b3cb379fecd72b005c86

SHA256
5d956bff188e344d36920585a371313f6ce3662d1db5fca7ee3d15343f04e92b

SHA512
28f0905a5f9441f8cde6018cc94c85b420fa810ae9a75e101be1138eda3d504d083976829273fdb051078e48ce449dbea93895d8629057b086a1316e5fe08dbc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
2ec73c92f6cc57509b982046a6fe447d

SHA1
a9987d10d70baf2fd6cf4e0d4c4c231ec16ffa14

SHA256
e5d4fca0c3e14094aea2db3550ffd6fee32ccef16e67ac7edacfec56886a0cce

SHA512
a8d00dc8d1d441f26300be5b6cad2d218bebd9c8685613b498bdfe1799172a53155791d182d59d21ad56f31b00ad23780ab722dd8787bf00948905a7a70ff181

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
82d2951de27889df9f0c52f6e4dab19e

SHA1
f78349d93b1fae908194e4d762e0e62be78e8570

SHA256
88c8a07a80779face9e68078327cb56be4ada4e4461158f7eb04b4f061eafa15

SHA512
9776d3f9d35ec8951a93078aeb88f6d4fe388fe71f0f48c69faacb8283414109f414ef9bd6a7029ebec67b88dc8c1e5d2cdbb2febc3e893e5a111efe221e1663

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
18b60080dffd08672a7759d009b8a0a5

SHA1
6153f582c8067a6be48cad2d86a1fcd4a7226ed2

SHA256
03e1b1289ae45efa91320f1cc86bc5306b4e1d9435076378a6eae4b82c83003d

SHA512
8ea434e14b352321311684b2df63e0c459261b39bf3b407f744f9155b95d2c40ff4916f33217d6085c04fc773b0e30411d475d92ab6b04f636045e4da8c5e318

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
abb78e683a83085e1802bc9b1f2c95aa

SHA1
13056365c45e54029d97f68be2494b97e26b90c4

SHA256
841f0b686e4d0f23f21274ed4ae21d5195aaab232227752738b657bb38193014

SHA512
ed54ef66c1fd7a90e51055f93cd6861410da7571976292e7b32a18f16d1141d8e6b91ed8411c7dfe1c85ffdeabe0b6977b0446a52a81e821bd3e628b76e242dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
64db1e4dfd43e6d0bf39bd9e3424455a

SHA1
dc7b6a2d24735450e25ed54f50ff08f065d33640

SHA256
06a070959aa91585862ed10ea484c1cb636c8a1ba98cc3db17f1c8d5d9ffddf5

SHA512
9fbf3e89c4fc3ecd1b59e9cadc681873ccddc0b8c6803a85368fe85b1aae0428e803e1a8691569e3492fdf04b2f73b5b47da9283a4a9c4f451008e74e5911ab7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
ecfe7b60ecf8ab02d3bc468dfdbade39

SHA1
e2de2c82b28a5c958dc2d249618012ad52f9390e

SHA256
b4a6fbd61cfcf82d42238c94ef9b1b71a2f7d7222f8ff7890e8d98b6cc5cb5e8

SHA512
6526064c2af90db86df6c4b34dce7af9c37cad7d4cfc75839716442817c1d7a21431c34e9fb135f260fc7d9155d3fb935b7c16ff12868c5f38c4c8f495c6c34f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
383a5aec1015e6d7eb0b0ca0f3e4e704

SHA1
6f56feee5efb7637aadf8208602ab659c6a0a9db

SHA256
43e9fe83ca7fff411b60e1696b984cdcbd1b9e006604dcc882ecce42d7eae5d9

SHA512
3212249083f9662f7e90a23c5983cae62b2f04a8e981dff7b6e32672f5c3fc35049516b570e50104976641aa7f67a64513399e3e5f6adf8af5d24591862e429d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
06dee07bbd401c8297f19d1e404f7862

SHA1
435c946e975ad3fd58f39f0610a3e13a138f6aa5

SHA256
325ece79aa9e2dd99d4819ca1c33b69e8aa44a31187afb767c2bafe06cfb23a5

SHA512
678c32671ac4b599786411b995cf1c465c93784d6b1d680e948d25810fba78c24965f9cabbc0bc93eed425bafe4ba250705c0c43df14859a198c7130b6b6dc1d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
f7bbd44b075422940b0c8cabd20fc8ea

SHA1
0d94db7f980060e4777557cfad1231b558f6674b

SHA256
8cc7f15ccf137ffb9a78ed15d31ec7073c648755ba35fd6a7c0310a4377dd520

SHA512
ff142bd327ac807450c2548d42905f022d64dea75026eb1c88b156687ad0ec2e3091861efb45f81776c7b3f53565a581048d7529c18d3ad78c3da74994fbee51

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
d48f514376b11a7fe112fdd6ee8c4b2e

SHA1
b1511c0424e19b63df116ce33e57e2fbf104a7f3

SHA256
0b9acb3e24d3479911140d9371a8bc4258d1ac2a3700873e3afabda29a927d82

SHA512
d508c9a631d674676a80dc9dd8ce7c47084d1e65b7ad411166ada3625a6dd7dd1d82ae659c670a056896ba5fa1a912f857aeebcc967b78515a889f69eacfcb76

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
6468a7fe4d8ddab62ef944c9d83f5929

SHA1
5c45fe0112ebe3f53f79188a8f6cc596436ea3ef

SHA256
76f1c5f5dee252c4c0b10dc85021d1c7985766650e9198b09aba222c849db5e4

SHA512
e838fd75d1916588f5ca98c5ddeab3cbc70580ef13eb66192393c62e0eafe26ac9caf9b869a667eb10406a3bd3445a891eb0a6b767c4e0fe2ba98a25a602de1f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
358acdb14abc9fedc8c90c3aa1c19954

SHA1
a51c9ff36d90086e05937c1ff589de0b2ac0155d

SHA256
d501e4427c11df99bfed31c13bd8a69d6263b1deb70369cdbfe28b5f6a89996a

SHA512
3c05c01eb9827dd77bdf15c4bc28871ea7c91b9532d503468ced4b56219295e2008708b62916c03dd675c8105c14ebe436fed16871ff13386c44a0d70e172bc2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
553734c7958a52dee9751cd850ba7ee3

SHA1
f1fbecf2a7562f640a707ccb198d140bd8d52e6a

SHA256
d9c744c6c62add30f60e8dc3a8172e66c0ab2437fe304cb24b2ec1912f061ea8

SHA512
2dbf7861f5af7af0ed0f3f74a5e6f1d73eb2cc3797269ffcec5655e9e921544b814cc509dab5c428fbf6cb0dde61913bbc22942e52e6dde0d1c5cf764aafccb7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1b0c562ff7bfcc1a7ae0158f627ca4b7\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
93ebb98fddf98ed08fa4f6e8ea9f0da1

SHA1
7bd5890abf8796ce4b56ce37b9b9d4e6483e140a

SHA256
9cd224e30fc976700eb48068d149f30d53d1efb2072579735d5fb260aaacdeea

SHA512
d03185a77be7053481d27f787dd8a3ea87f1d4823dae7f8e7255d9b76a3d406cb2fd4de272d094a6b7f849f21a2965509a76f04261d0c864ec175313c407fb0f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\32815e886fd5deea0b836405a3c6d7db\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
7dcd466f7481561f13f1aff50aa2868c

SHA1
84c5bd390c2bcbd403968cfc4c654cd2870f3a82

SHA256
196744685bec634db0013470efec057a8b7eb2be2618179ba0c61666a2e39038

SHA512
89b52102c6b04924a08cd494d9821233f0e492d01b4b7b79f1c333a029f21b0db89f139956ae73039197465b2a422975a059e196cdbbfb88597057786587a0d1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b9d132404eaf728ed15735dded12d367\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
d4de1bebc223981091bf98c2fe12c3d4

SHA1
68798498f7f595d0b305fbb91c3b57bc69b559cb

SHA256
07cf07f9d4b80c90fee78f5f6cf9711a41e27b6c0caec4c81f624b7eb598e098

SHA512
171fc95b9455d452b257e2dcc2127d3b55c92e46fe8ea0d9cdf35058572a6b5a4be2f54de9b744d9fde9c2e31f853f69d069b3f1bcded098d3eb397317888b71

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
841edc0b24f69028501a50b412358302

SHA1
4bc61242b789da9b271978ae6265005fc4395676

SHA256
af477209c5a6fe97cd0b245fc3868f27f17df72b7cf34254f939a21f7e251f7c

SHA512
d6d97c35bc4be4a755f11060f4e27614524de24edc9406ce7acf82452b17b3f5f222306b9381f5d8f82a31f93447e2e0fe9dc48dbe58b0be96bfaa376f7b4562

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
ac0ab6032e8043ef185262cee9d88b33

SHA1
fa2ad4a2b874cf4d6942a426c902d194e0997a7f

SHA256
5a7c23d3258431d5293ea27a05650df1cef8cc9174c60049940c6671b1ff5a0a

SHA512
2db566c1dad14bee0eca178318df4a13be677bf0ec393bbdcd0d9c5edfeb0df1df7a4a0a7c37814f26bb7d955ff288f75d0050f6b6cb522de355033feb796dc5

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
9c410f3f267bd7f34bcc26c9b0164925

SHA1
477993af2e1a061eb062a932c7ad65dc6083955b

SHA256
de1c6fa311595ca89ecaee55043e796c260551e05a462bc41a55795de947da9e

SHA512
d20b6f3cc385bd226a6a51722bbd754d045ff550379c4cc437572f52414bd1c2ce1e4dc489fecba41882e953fb738ae59566597925183fabed2fcba5c25c93f1

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
54010d5c5ddaf1c2b17fc33c8c9e2189

SHA1
83233d37e49b16b2187e6e09361ffe5efba4d188

SHA256
dcf010e6919d7797749b7fa58e05ae5e0291c1c42ce18afd3b13bdc56a18d402

SHA512
637d64f66c412652d1dac8d34f61c90bcbe4c7dc94368fbc5afce54c394ae041c8d77a2d4ca87daebe1282585ce44588daf4b2cfdf1d510b87d4a831a9fa7197

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
19f3cfc597ad7741fcf96321308b1960

SHA1
9d71ca1316b223bad073ec31238c1f443c4511a8

SHA256
e9ef830ca8d23fa9e92fa68585247ef6301c7a4a7acf022e7344174b5a238d76

SHA512
eaf2b3d120de0d3e2d2b0bf80a5d9086fbc70a3465ff88d0f6fc97213c19a8af838bf3815f1c3aaea898047e470a0a32c4a642dc3715568a927b0c8daeeeefcc

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
16d2525ae90180bdbf763da35eaaf573

SHA1
627772b821bc24230287d5fbed3848a354554a8f

SHA256
00b8b89185e644274470ee9ef335719f2bc86ccf0edfdc4ce8fe3a4e0ac7fda1

SHA512
0dcdb2c119544416c0b5105f2842cf727293955bf3f532d45d5498b83d5dce392b3379f0c10019de21a3b31065420241feb729c4bfd6b960fc35e9085bf5ecb7

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
3bd34d77ec4ef2aebdca060419251fe1

SHA1
9c54441b5206febb881d120f4afb93122e5a5f89

SHA256
b78d1770e1486d496ceac5b2c0c75e46b9ff01be29dac277d75bff9cbbf61000

SHA512
cf8fbe9948064d3a98dd4f9f7fe26166f41faaf1ad5304dae3ee17c48bed3fab105b945a56c3e348f531a9f1d39713e05b7c0f0b554a6528dbddfdbb8018c68d

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
f06b95b0f1e7686d3987c6d2fcd02565

SHA1
750f6411d233be969ddbeb7ab8c13d259c2a60e8

SHA256
628a33edb872dcde1cf863b17f8468974046a7959f2745cfe7f3620fd11c6f54

SHA512
1f680b5ab2daac1415057baa9ef1a29735dbc02fefeede5e0cbea0ab3cdd7930e615b31c2299743d1f80b2d6b31cd83c6c7aca62e08ace2b29b355923a8cda0c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d29aacf9404d8c49462f985c93e20337

SHA1
c335bee1e6e89aee9c3ca67515eb89aa93cce7d9

SHA256
8b5053c5cc02e3426c8dd3488208bd1783b6ac5f17caa7e841fe30b97fab6e7c

SHA512
db4dceb419c635ce1010e89b062d83c247ba93b2554f6509ca4b224ef97b48d822e385ed3151a4e79bc86e1209088b4bd238db48ba3fbb0d80cc872833a14abb

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
43aa75f51c9811e1c78913f85b07610a

SHA1
db196614319ce06bd265b2ee59b5e1c609f6d778

SHA256
2ddc04ebed94cf0e051e10bc2ad8a727ace07e9259f2557cecfb4390c98ddea6

SHA512
214ac7d78d9972bee42bb1895369dba5497568f8b035e867f2a374aaa95f43f9b90e1204f24bd6a95fe96d1d7f3539c85f521293c11445c535de89a7224d8ea0

Download Submit
memory/620-436-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/620-571-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/628-402-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/628-277-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/940-656-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/940-627-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1000-322-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1000-534-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/1004-198-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1060-73-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1060-78-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1060-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1060-216-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1084-94-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1084-93-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1084-100-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1084-221-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1108-829-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1108-819-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1132-403-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1132-713-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1236-821-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1236-802-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-269-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1308-152-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1372-687-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1372-390-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1428-628-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-607-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1480-762-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1480-758-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1588-558-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1588-333-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1744-251-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1744-125-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1748-419-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1748-290-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1760-451-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1760-418-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1824-672-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1824-386-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1868-702-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2040-258-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2040-346-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-678-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2112-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2156-417-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2156-352-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2168-385-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2168-254-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2172-118-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2172-234-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2172-120-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2172-112-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2196-786-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2196-773-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/2204-8-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2204-1-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2204-71-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2204-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2204-6-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2268-321-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2276-772-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2276-138-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2276-257-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2292-201-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2292-325-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2392-560-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-618-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2460-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2460-14-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2460-111-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2460-23-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2464-47-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2464-91-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2464-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2464-40-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/2492-217-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2492-336-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2492-231-0x00000000002C0000-0x0000000000372000-memory.dmp

Filesize
712KB

Download
memory/2492-351-0x00000000002C0000-0x0000000000372000-memory.dmp

Filesize
712KB

Download
memory/2512-673-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2512-692-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-739-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2560-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2604-36-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2604-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2604-28-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2604-137-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2632-342-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2632-354-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-832-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2784-241-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2784-364-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2940-320-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2940-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2988-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2988-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2988-63-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2988-104-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2996-281-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2996-164-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3020-645-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3020-365-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3040-803-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3040-778-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3048-750-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3048-735-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download