19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156

Analysis

max time kernel
136s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
Size

1.5MB
MD5

bcb276931dcfc6f47ea4c8c5fe4614c0
SHA1

a5d035668a470508e0449e87250d7c58821361f7
SHA256

19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156
SHA512

4469adaecf80bd989d68de06453304abf52fdad1d5980b6e0d4db8e107166cea94a363349e101d11fe22d02b28a3d3d6f8234e561c010805c3cb7e74e75b08fb
SSDEEP

24576:jM8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:jMgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2576	alg.exe
2892	aspnet_state.exe
2792	mscorsvw.exe
2652	mscorsvw.exe
832	mscorsvw.exe
1016	mscorsvw.exe
2620	ehRecvr.exe
2088	ehsched.exe
1452	elevation_service.exe
2028	GROOVE.EXE
1732	maintenanceservice.exe
2376	OSE.EXE
860	mscorsvw.exe
3060	mscorsvw.exe
1104	mscorsvw.exe
544	mscorsvw.exe
2276	mscorsvw.exe
2504	mscorsvw.exe
2704	mscorsvw.exe
2956	mscorsvw.exe
1152	mscorsvw.exe
736	mscorsvw.exe
2324	mscorsvw.exe
2432	mscorsvw.exe
2436	mscorsvw.exe
2124	mscorsvw.exe
544	mscorsvw.exe
1568	mscorsvw.exe
1400	mscorsvw.exe
1488	mscorsvw.exe
2216	mscorsvw.exe
1688	mscorsvw.exe
860	mscorsvw.exe
1552	mscorsvw.exe
684	mscorsvw.exe
1808	mscorsvw.exe
1616	mscorsvw.exe
2628	IEEtwCollector.exe
1284	msdtc.exe
2728	msiexec.exe
2348	perfhost.exe
2116	locator.exe
2636	snmptrap.exe
2976	vds.exe
568	vssvc.exe
2968	wbengine.exe
908	WmiApSrv.exe
2924	wmpnetwk.exe
1592	SearchIndexer.exe
1976	mscorsvw.exe
2252	mscorsvw.exe
588	mscorsvw.exe
2104	mscorsvw.exe
280	mscorsvw.exe
1616	mscorsvw.exe
1132	mscorsvw.exe
2900	mscorsvw.exe
1672	mscorsvw.exe
1188	mscorsvw.exe
2112	mscorsvw.exe
2940	mscorsvw.exe
2864	mscorsvw.exe
2232	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2728	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
744	Process not Found
280	mscorsvw.exe
280	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe
2112	mscorsvw.exe
2112	mscorsvw.exe
2864	mscorsvw.exe
2864	mscorsvw.exe
1100	mscorsvw.exe
1100	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
1460	mscorsvw.exe
1460	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
1496	mscorsvw.exe
1496	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
1468	mscorsvw.exe
1468	mscorsvw.exe
2684	mscorsvw.exe
2684	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a86eb694d264f17b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEACC.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD192.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9BC.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF92E.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDFF3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7D8.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE1B8.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07a3aab68ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e03351aa68ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2272	ehRec.exe
2892	aspnet_state.exe
2892	aspnet_state.exe
2892	aspnet_state.exe
2892	aspnet_state.exe
2892	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2256	19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: 33	2192	EhTray.exe
Token: SeIncBasePriorityPrivilege	2192	EhTray.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeDebugPrivilege	2272	ehRec.exe
Token: 33	2192	EhTray.exe
Token: SeIncBasePriorityPrivilege	2192	EhTray.exe
Token: SeDebugPrivilege	2576	alg.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2892	aspnet_state.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeSecurityPrivilege	2728	msiexec.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeBackupPrivilege	2968	wbengine.exe
Token: SeRestorePrivilege	2968	wbengine.exe
Token: SeSecurityPrivilege	2968	wbengine.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeManageVolumePrivilege	1592	SearchIndexer.exe
Token: SeDebugPrivilege	2892	aspnet_state.exe
Token: 33	2924	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2924	wmpnetwk.exe
Token: 33	1592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1592	SearchIndexer.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1016	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2192	EhTray.exe
2192	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2192	EhTray.exe
2192	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1960	SearchProtocolHost.exe
1960	SearchProtocolHost.exe
1960	SearchProtocolHost.exe
1960	SearchProtocolHost.exe
1960	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe
2260	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 860	832	mscorsvw.exe	43
PID 832 wrote to memory of 860	832	mscorsvw.exe	43
PID 832 wrote to memory of 860	832	mscorsvw.exe	43
PID 832 wrote to memory of 860	832	mscorsvw.exe	43
PID 832 wrote to memory of 3060	832	mscorsvw.exe	44
PID 832 wrote to memory of 3060	832	mscorsvw.exe	44
PID 832 wrote to memory of 3060	832	mscorsvw.exe	44
PID 832 wrote to memory of 3060	832	mscorsvw.exe	44
PID 832 wrote to memory of 1104	832	mscorsvw.exe	45
PID 832 wrote to memory of 1104	832	mscorsvw.exe	45
PID 832 wrote to memory of 1104	832	mscorsvw.exe	45
PID 832 wrote to memory of 1104	832	mscorsvw.exe	45
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 2276	832	mscorsvw.exe	47
PID 832 wrote to memory of 2276	832	mscorsvw.exe	47
PID 832 wrote to memory of 2276	832	mscorsvw.exe	47
PID 832 wrote to memory of 2276	832	mscorsvw.exe	47
PID 832 wrote to memory of 2504	832	mscorsvw.exe	48
PID 832 wrote to memory of 2504	832	mscorsvw.exe	48
PID 832 wrote to memory of 2504	832	mscorsvw.exe	48
PID 832 wrote to memory of 2504	832	mscorsvw.exe	48
PID 832 wrote to memory of 2704	832	mscorsvw.exe	49
PID 832 wrote to memory of 2704	832	mscorsvw.exe	49
PID 832 wrote to memory of 2704	832	mscorsvw.exe	49
PID 832 wrote to memory of 2704	832	mscorsvw.exe	49
PID 832 wrote to memory of 2956	832	mscorsvw.exe	50
PID 832 wrote to memory of 2956	832	mscorsvw.exe	50
PID 832 wrote to memory of 2956	832	mscorsvw.exe	50
PID 832 wrote to memory of 2956	832	mscorsvw.exe	50
PID 832 wrote to memory of 1152	832	mscorsvw.exe	51
PID 832 wrote to memory of 1152	832	mscorsvw.exe	51
PID 832 wrote to memory of 1152	832	mscorsvw.exe	51
PID 832 wrote to memory of 1152	832	mscorsvw.exe	51
PID 832 wrote to memory of 736	832	mscorsvw.exe	52
PID 832 wrote to memory of 736	832	mscorsvw.exe	52
PID 832 wrote to memory of 736	832	mscorsvw.exe	52
PID 832 wrote to memory of 736	832	mscorsvw.exe	52
PID 832 wrote to memory of 2324	832	mscorsvw.exe	53
PID 832 wrote to memory of 2324	832	mscorsvw.exe	53
PID 832 wrote to memory of 2324	832	mscorsvw.exe	53
PID 832 wrote to memory of 2324	832	mscorsvw.exe	53
PID 832 wrote to memory of 2432	832	mscorsvw.exe	54
PID 832 wrote to memory of 2432	832	mscorsvw.exe	54
PID 832 wrote to memory of 2432	832	mscorsvw.exe	54
PID 832 wrote to memory of 2432	832	mscorsvw.exe	54
PID 832 wrote to memory of 2436	832	mscorsvw.exe	55
PID 832 wrote to memory of 2436	832	mscorsvw.exe	55
PID 832 wrote to memory of 2436	832	mscorsvw.exe	55
PID 832 wrote to memory of 2436	832	mscorsvw.exe	55
PID 832 wrote to memory of 2124	832	mscorsvw.exe	56
PID 832 wrote to memory of 2124	832	mscorsvw.exe	56
PID 832 wrote to memory of 2124	832	mscorsvw.exe	56
PID 832 wrote to memory of 2124	832	mscorsvw.exe	56
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 544	832	mscorsvw.exe	57
PID 832 wrote to memory of 1568	832	mscorsvw.exe	58
PID 832 wrote to memory of 1568	832	mscorsvw.exe	58
PID 832 wrote to memory of 1568	832	mscorsvw.exe	58
PID 832 wrote to memory of 1568	832	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe
"C:\Users\Admin\AppData\Local\Temp\19980442e969253d0b76acf750be3f72fd052dae8f08782b7827ef72715fd156.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2792

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d8 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 240 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 250 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 240 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f8 -NGENProcess 27c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1f0 -NGENProcess 288 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 27c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 288 -NGENProcess 1f0 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 248 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 23c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1f0 -NGENProcess 244 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 250 -NGENProcess 23c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2ac -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 244 -NGENProcess 250 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a0 -NGENProcess 2a8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 27c -NGENProcess 2a8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 260 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 260 -NGENProcess 27c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2c0 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 294 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c8 -NGENProcess 27c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 27c -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d0 -NGENProcess 2e8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e8 -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 298 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2c0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 310 -NGENProcess 30c -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 30c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2fc -NGENProcess 308 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 308 -NGENProcess 2f8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c0 -NGENProcess 318 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 320 -NGENProcess 2f4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 318 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2f8 -NGENProcess 330 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 328 -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 340 -NGENProcess 334 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 314 -NGENProcess 348 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 350 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 350 -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 35c -NGENProcess 340 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f8 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 340 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 340 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 340 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 37c -NGENProcess 2f8 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 37c -NGENProcess 340 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 37c -NGENProcess 314 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 314 -NGENProcess 388 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 348 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 37c -NGENProcess 394 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 370 -NGENProcess 36c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 39c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 39c -NGENProcess 348 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 2f8 -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 3a4 -NGENProcess 370 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3a4 -NGENProcess 2f8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 2f8 -NGENProcess 3a0 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 3a0 -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a0 -NGENProcess 2f8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 380 -NGENProcess 3bc -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 388 -NGENProcess 2f8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c0 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2620

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1452

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:908

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:2224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
815e0cc40b68a8afc95dcaef4480e821

SHA1
3ef92e0badbebe3b813ee5585e67782c3c2a4a4e

SHA256
8908a4a68841ac5f5e8ec1d9b4f659ead50d1dd1ccb22329bb89f8ea13de9c57

SHA512
e221adbeba0a007fbfd9fad306170489a944a8a0b0fddd821aa91d3f3db5b0d0516ff4c324b8fcde79ef4ed82239a2426e9f017536d908a70d8880ad6b1e6f23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
9b1e16cd6805a0d1ca107ba35c2eb8a0

SHA1
07b1e2a755ab98d9231fece78f2a8534bff684b4

SHA256
4d9740b3cf66bf7a921819b11b88d609b3a320e408e65db7766d07feb0e82c70

SHA512
40881e8aba2204505da17bd7f561588a04bf2ef0017b5944a138087166078dd6bb47abc3ae4c90cf6bc974556254b364662927c360d2082a306914de1f1e61df

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
1e9d86e9865cb7042faa704594af9964

SHA1
68874b42ff0eb59fed55141bd2f08504e50a2072

SHA256
21eebe88f6025eb35d838c93777f698cb4331438c9220aea0a8faf761d6f9c18

SHA512
2cff11b9349bd680ce7a97f3a035002f0c12634e46aefdf9b31aeefce29ea4325b155fbcba96c194ea64c04b61057a75bd147df2556e724709d67b9a36112ea7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7e96abbdd40447a312d41c2aa29dae51

SHA1
6ab6f5f3aa3666f514183f0536e414ea2b886684

SHA256
9336e81b6802a3bf2e1ec08c3e3ba722bebe08cab474045b22ba788aa4418b31

SHA512
9971ad3a03a969df8b4d151dac8689b3d7d226342035bd1666d3624388ef46d26b641e4a5ab9baf0a71e40c73b7b0c5deb7f7bd68928274053330d44c18346e8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
aadf3ad70353b2de68697681902c5cbc

SHA1
d035578b6e4037b4def4d2970b00bd823c5e86fa

SHA256
26065ef16b90869ce2e8ba273695c96f700652dc27cf3afddf1c9f561c0b6c28

SHA512
a743cd1fd967a1ebc837f78ce8b53533fed86671a8fbac3ba4d17aba28cfc640ce902e4cbd0ce505087ae13220d0e5965eba031fbad5777876ec8807d01137a5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
4b99723b5f4d503ae6a610900b9da7c5

SHA1
bc38672fb9992f194b9c67020a425e0bd7db3d6f

SHA256
6bfc3ef61d5c1bafcfd31180289a10ec84a02616198efb0b7e69d8c30428a4ad

SHA512
0f9e74235bab7f140a1c17ae01735a1ae0fdfb2c2f8c4e6720cbbdcea617293c3182870089ee04aaf9fe479a6dea1f8b3b79157b82491928921bc097185a76aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
0b7f0a66a37f46f59b656595e97233ca

SHA1
406c45d734620e6169a25e1688111dde25a338c0

SHA256
e559370d254686f93fe4e5c37682ca9117b8b44b40692444f2d696cba009212e

SHA512
26b37ddbd5974a9f4d6d87acf4c5c43915941a1878789334b51d5819d6510dfecf9e010261ac0b8a0421037fed03480f06e00aa69eba50b2a59948fbec18f346

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
23638474eba3086f6c9648decb6500e6

SHA1
d7a8017ee0d77fa7d0e0940ce5fdc75e9eaf96e6

SHA256
2056210f3972e9e7eb603be772a557e9d9a400c56a630c327f06eedb884397f8

SHA512
86a3ffb87c06b208d09dbc3b8046a4e05f89bf59ea0b308efe467aea8f2523f47b31cd2fd00cd24f3015781bfd5f05df8e606d7f964a0fe9c4059af4c59a4ca8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
2d191d786fc1e8593f27cc2fb9d11932

SHA1
525c53da458d4f1bf9bc913043a9f1f40ce7ab59

SHA256
fa76d8e60fd3dbad7350f54d36159c066cc7397a0d2a7bc85bac0a8d0a09bb69

SHA512
0fa849c158297756dd2b4c257d6d3f35e4252d17866b7fa2981f74c21af338a798d803d63f2cfd469e174a3728e1fc11ec309b907612293b6bb3f68e0062218d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
081276dc19a9da4cb1c3124d7a6e498b

SHA1
24530e63f2924be20ff2f54fbf024ed63bd8368c

SHA256
3f0494325d9118eb58ad2edbc06d2037807cc01091b8aa4e2bf14b500680131f

SHA512
a1d5aae452928c5a5f9f1b559cea839e860dc2fd4afeb124a05e2ea2f6d9827fdc3cbffd37364fefc5b9b6bb263916118708f08aa12cc0165bbba39c8290a744

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
858495eed73104ea0ee685fa48b41427

SHA1
cf0a5fcb1cb85b6bfe167a06e9b80ff3a7c3161a

SHA256
c6f2069ae4cd8d92f6c9dae014a7d21dfdc43e548a0242a46789baca7d4c8ae2

SHA512
9cdc3ba20e8a20c21bd44726873aecb6b3582c0865842fdd3b9355cfd96a9ab359e25806f54bc7cb5cd3245438b3d42652204e503b082f9f5a3f022b46adf954

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
b50e554be8c869ef5d9035da6c1b9790

SHA1
bf1651c28b5b688bfa64ef48fd902e156a16dd92

SHA256
b432e3f8e067ba22f99ad1d998a4302b815ecd0b34b3b618110f0364bd3f9907

SHA512
09badebf36f9e631481448b9e5218e1d6bb81c9d0bd09115d7b754d6566ec76b73bf814a06a0c397defff139707dddc1772de8b7db1945069be385ae253bae61

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
b5483496f99fa65d5de862986d298a7c

SHA1
50fe664b93d89c8747a9739b57ce8892d9b270fc

SHA256
defdb335b9174b4cf8f32cdd46894164793eb42d78b3b316856e0710d7a7119a

SHA512
ae1761878c4cfe331a97bd4dd5dd56ca21a1588b356e0fe6fd459b8f788bcc1f334eb9766c067dcd64df0e2f015a0543aeb66c029f78b7717fe7079f42793e8a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\520ef62979208636f1c14a80e2d9ce16\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
adf1036a3eeb1c501096a888cab58bb2

SHA1
254000abc2213ba04d1d880a930f44723a87c45e

SHA256
57c33d085afc7e27f2309286d36c9d139a4aa726c4bb4f52e67aa6ae945df77e

SHA512
f3b7bde4907352d9c35854c3543251ae815622679e2527566efce1e95f7fd2cfbcc2e7ab8638ea22cafd07e48105e2ca892b22d7f6ff00805c872cddc51664cd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a3e62a29807944a418928c2c96ffa660\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad6db1b5253efb254455b9b19be30671

SHA1
59a080db27cd4dc1cecc35e4e4ac393bbdab3e36

SHA256
25493e5f12360ab1981ad0bebeb8089b082caf6853b207dc2d2cd161213b01df

SHA512
71dc8302b2a888e2252685e83c42ec41be53021f8b81cada112b3a6740ad6bfef04af22a2863f472d0ce66a1c883d8b00c069ff6cfc107ce3d568308d148119c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f0c2354d3d486597c8ff4aebfc504967\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
2f085cbd47f5df21831b18c52a740fc7

SHA1
c548c7141a7c8ce9a018b2d972f85c12a309f906

SHA256
a0097ba6f424878a68eef0c82803a70068fbb2ed5e0963e37eccb1a662a0ab3c

SHA512
44541fe50a6c2ecd70931ed20df5f1f3893dcc299b3d84d9ddd5f2b3fddf29397123a8c3eeac88ce5fd54ed88397cc371c0ec872d1da9ddf0093ca0e57b3e9c7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
4bd9b6da179efdd7cc21240e4f1d37e4

SHA1
28a07d3ca4f0543dee16fd5fc3fb7532f6dea4da

SHA256
4736e2a0a4585c698dc203ccf58614999b8d205f95ee6c498188ea3eea17ac8b

SHA512
b1345cbfe6a3befcf9df7d5de9b712d0d37bb500aed96defdb51a0816905c5a1b164315fedb0440e1ea5b25852f13280dfaad5d26c40723044c9a2b36eeec695

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
3c41e7989d1e2f1c344fe1bb6f1aac76

SHA1
07e14b6f3745d324e3656500458192f52b1f27da

SHA256
22cc1f45b962451b598b6459e421e86d933b71c3474b2ffdfdfc97e1f19b2884

SHA512
8edf46a5a34b9384fbe7ec1e30d862fd8811b8c1d5c273c24d38b24dab8dd7077f94843ca466d7cb56b09bd1746330a5f5adcfacce7c843db14dfa267459ee0f

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8da57865b912e9a62e371183abe81cc7

SHA1
e1c5e65758d40c5c4094f66534df2facb0c8f1bc

SHA256
a208d3b3480cce4efde602d4e81747002bcb1d33dc3ddbcb5407089afe9e8dfe

SHA512
901f799b0bb10a0e12b1e3965c8383eb3830a6a17ac5d8cfffe829d6058edb59ead9cc1d695887143e0f0d13d32edcbb035786214f8e7d3b9df388b10d65ddfb

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
2a2119a265d1be5d03b1ba6eea25ad31

SHA1
ba1d87ace93885f8adcfe5c6d91ff06babca9d76

SHA256
ce89e370bbff159abe3b5a6775dcd5bf0320317e3a6614441477adf7f9e683ec

SHA512
7289d6ac234e7ee80c631d68fc3343b3f0a0983f113844588b006905084e72bd25ad7578e6526f91d0aba9748d5211c504d6dcb5c905123417ef364c51b9ffb0

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
189ebbc0bc548af2506eee947d18f2f7

SHA1
0ed8526234fe3a98123687c65ebae4ab17b9516b

SHA256
4092b833441085f13ea72dfec921f8c8a3fbf1cc4f6bf1a43a7fd49d138492e4

SHA512
6eab00a0f7ce9ac87463ec97bb0b224223ef5859a181cf6ffa38111c2dbeeb8e1a20289cd45599989b65f9dad0d05c38aad6f76d20f65ded0dc0c22635a49c6e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
172e92a4d5dc3c4b55da7e09556ffbf8

SHA1
5aa78ac82b0b40b727efad5567399b977ade0cb6

SHA256
6521c553f8a826d8ba9539e039b202bf9a2c63d45ba8fc3cd26af88e23d8e8c5

SHA512
598e5b6f94e1cebdc5985ce67c002337b98427ba40b88438985ca533c0e33fe36dc44a03a70dc4d73be71b434f82f35b8620628669caed4d4ed3d3c018b23e5d

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
172b6eadf98479b4fdbd58ffca32202e

SHA1
cfdcf0749da3d0a263940f68d184925ed665682b

SHA256
a96bbfff39068661a735c1ba1f205fee681877380e089d19b6fd3a0676b08b48

SHA512
222ae7a0aebc1bee89fd5415a03edff1dc29d787907aa26c60f2de6fe312be0577c92a05845d11c08e87f2e89da38c006a1e1376d0314d80dd0eef7a5a5c4a72

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e3ae328d968115208cab2e4a2f8b92c7

SHA1
f9da4e496a1e03db099f0ec7c6734f4883a32289

SHA256
516e8e21f6f3c38312e8f0991715114f908ea90808efcc43c2533a4a84352e9c

SHA512
f6962a18bb12566877b0bfd03d152063ea2570b3ac68aa931c54db17c5bdc458673c03fb597dc94886c41c942b9d5c774446b7a6796728dd5d12455445831317

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
ccf429144caf7cfbb9d83aa16ee1d3f2

SHA1
f28c3bfd1340b8e2e8576fcf611d4fc4e7ea5c67

SHA256
bd7754480e82dc85879afd347fd017139bf1c730c95c88628149d6acc56de049

SHA512
e5d2e6aa2fc09f79498fda7fd88b072cdd77bb11b51e08538b4fd77a35c3c6fd4fdd0423fdbb526d85f140bf88d261e5d9e00308ed81e31b55a6446db60f529d

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
6f54cf20b46fa31bb7b7f3f51d8906bc

SHA1
4cfdc8b229d7088b011080272eb7d859f98ac313

SHA256
726aaa7853b754d0a25e07d1de8448b8e762e99c7aaf697e9023218925be74cc

SHA512
9baeba17ca71acafe334030f97e61b5ae816747c86433833c531367a035678fe14fc8c56dbb2080274c274e98a7dff94c2bab0f2d71081803495190c587cac5b

Download Submit
memory/544-547-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/544-382-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/544-535-0x0000000003D60000-0x0000000003E1A000-memory.dmp

Filesize
744KB

Download
memory/544-534-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/544-396-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/684-636-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/684-624-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/736-479-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/736-474-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/832-81-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/832-903-0x0000000001CF0000-0x0000000001CFA000-memory.dmp

Filesize
40KB

Download
memory/832-907-0x0000000001CF0000-0x0000000001D94000-memory.dmp

Filesize
656KB

Download
memory/832-910-0x0000000001CF0000-0x0000000001D00000-memory.dmp

Filesize
64KB

Download
memory/832-908-0x0000000001F70000-0x000000000210E000-memory.dmp

Filesize
1.6MB

Download
memory/832-906-0x0000000001CF0000-0x0000000001D7C000-memory.dmp

Filesize
560KB

Download
memory/832-80-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/832-297-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/832-86-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/832-905-0x0000000001CF0000-0x0000000001D0A000-memory.dmp

Filesize
104KB

Download
memory/832-904-0x0000000001CF0000-0x0000000001D0E000-memory.dmp

Filesize
120KB

Download
memory/832-909-0x0000000001CF0000-0x0000000001DDC000-memory.dmp

Filesize
944KB

Download
memory/860-289-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/860-207-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/860-621-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/860-609-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1016-100-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1016-102-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1016-359-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1016-94-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/1104-300-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1104-385-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1152-475-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1152-463-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1284-688-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1284-893-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1400-570-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1400-559-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1452-147-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1452-417-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1488-576-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1552-633-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1568-546-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1568-551-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1616-663-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1688-610-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1732-170-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1732-185-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1808-652-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1808-648-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2028-159-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2028-433-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2088-587-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2088-135-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2088-397-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2116-736-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2124-522-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2124-526-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2216-591-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2216-584-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2256-137-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2256-7-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2256-8-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2256-79-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2256-0-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2276-420-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2276-398-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2324-487-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2324-498-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2348-722-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2376-175-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2376-462-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2432-509-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2436-521-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2436-510-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2504-435-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2504-421-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2576-22-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2576-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2576-14-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2576-122-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2620-118-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-116-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2620-110-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2620-374-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2620-666-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2628-892-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-684-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-740-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2652-76-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2652-61-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2652-63-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2652-55-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2704-448-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2704-434-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2728-900-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2728-713-0x00000000005E0000-0x0000000000772000-memory.dmp

Filesize
1.6MB

Download
memory/2728-703-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2792-68-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2792-46-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2792-39-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2792-38-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2892-157-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2892-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2892-28-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2892-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2956-454-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2956-449-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3060-290-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3060-303-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download