a55f82d548d9ed11aba629d5f4a42ec058745272b6c7402190aa327b902512ed

Analysis

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_bf6a9c6f6b395e8f8b01be86eb3cdc24_avoslocker.exe
Size

1.3MB
MD5

bf6a9c6f6b395e8f8b01be86eb3cdc24
SHA1

12b5b85fe1fec5bf45464ed46fb6a8e9d23b85a2
SHA256

a55f82d548d9ed11aba629d5f4a42ec058745272b6c7402190aa327b902512ed
SHA512

eba7d9e65d7b5985af8a8f972e56f8f3e467e7d39c5513a9080b1d37a94c14b406a00f671d6d9f4ec6346866276e2ebdc01eca0a395b4af5c6b03886180ff1b2
SSDEEP

24576:P2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedtet/HU9zPjeidP1Yi/dGyA:PPtjtQiIhUyQd1SkFdQUpLei7dGy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2744	alg.exe
2588	aspnet_state.exe
1104	mscorsvw.exe
832	mscorsvw.exe
2844	elevation_service.exe
2936	GROOVE.EXE
2396	maintenanceservice.exe
1408	OSE.EXE
784	mscorsvw.exe
2864	mscorsvw.exe
2660	mscorsvw.exe
1992	mscorsvw.exe
2836	mscorsvw.exe
1676	mscorsvw.exe
2364	mscorsvw.exe
1892	mscorsvw.exe
1716	mscorsvw.exe
1388	mscorsvw.exe
1804	mscorsvw.exe
1124	mscorsvw.exe
1084	mscorsvw.exe
2888	mscorsvw.exe
2620	mscorsvw.exe
1448	mscorsvw.exe
2108	mscorsvw.exe
1196	mscorsvw.exe
2036	mscorsvw.exe
936	mscorsvw.exe
940	mscorsvw.exe
1292	mscorsvw.exe
2880	mscorsvw.exe
2380	mscorsvw.exe
2292	mscorsvw.exe
2408	mscorsvw.exe
1092	mscorsvw.exe
1196	ehRecvr.exe
1896	ehsched.exe
2532	IEEtwCollector.exe
3040	msdtc.exe
2800	msiexec.exe
1124	perfhost.exe
2760	locator.exe
2656	snmptrap.exe
3004	vds.exe
1988	vssvc.exe
2116	wbengine.exe
1628	WmiApSrv.exe
2216	wmpnetwk.exe
1640	SearchIndexer.exe
1572	mscorsvw.exe
2400	mscorsvw.exe
1048	mscorsvw.exe
2636	mscorsvw.exe
1072	mscorsvw.exe
2912	mscorsvw.exe
1724	mscorsvw.exe
3052	mscorsvw.exe
2848	mscorsvw.exe
1912	mscorsvw.exe
2460	mscorsvw.exe
2344	mscorsvw.exe
2432	mscorsvw.exe
2336	mscorsvw.exe

Loads dropped DLL 52 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2800	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
736	Process not Found
1072	mscorsvw.exe
1072	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
2880	mscorsvw.exe
2880	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe
2296	mscorsvw.exe
2296	mscorsvw.exe
2708	mscorsvw.exe
2708	mscorsvw.exe
2228	mscorsvw.exe
2228	mscorsvw.exe
2364	mscorsvw.exe
2364	mscorsvw.exe
1072	mscorsvw.exe
1072	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
2564	mscorsvw.exe
2564	mscorsvw.exe
2564	mscorsvw.exe
2564	mscorsvw.exe
2684	mscorsvw.exe
2684	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_bf6a9c6f6b395e8f8b01be86eb3cdc24_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e868bf1d264f17b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4B05.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4682.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP26C2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2980.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3F42.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP37F2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5033.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8E3B.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP44AE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{63AF0F3B-BBDC-43E4-AF45-19CBAB12DABB}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050b2101d5bcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d0410d115bcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2260	ehRec.exe
2588	aspnet_state.exe
2588	aspnet_state.exe
2588	aspnet_state.exe
2588	aspnet_state.exe
2588	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2732	2024-07-06_bf6a9c6f6b395e8f8b01be86eb3cdc24_avoslocker.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeDebugPrivilege	2744	alg.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2588	aspnet_state.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: 33	1812	EhTray.exe
Token: SeIncBasePriorityPrivilege	1812	EhTray.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeRestorePrivilege	2800	msiexec.exe
Token: SeTakeOwnershipPrivilege	2800	msiexec.exe
Token: SeSecurityPrivilege	2800	msiexec.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeDebugPrivilege	2260	ehRec.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeBackupPrivilege	1988	vssvc.exe
Token: SeRestorePrivilege	1988	vssvc.exe
Token: SeAuditPrivilege	1988	vssvc.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeBackupPrivilege	2116	wbengine.exe
Token: SeRestorePrivilege	2116	wbengine.exe
Token: SeSecurityPrivilege	2116	wbengine.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeDebugPrivilege	2588	aspnet_state.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: 33	2216	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2216	wmpnetwk.exe
Token: SeManageVolumePrivilege	1640	SearchIndexer.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe
Token: 33	1640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1640	SearchIndexer.exe
Token: SeShutdownPrivilege	832	mscorsvw.exe
Token: SeShutdownPrivilege	1104	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1812	EhTray.exe
1812	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1812	EhTray.exe
1812	EhTray.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2340	SearchProtocolHost.exe
2340	SearchProtocolHost.exe
2340	SearchProtocolHost.exe
2340	SearchProtocolHost.exe
2340	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe
596	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 784	832	mscorsvw.exe	38
PID 832 wrote to memory of 784	832	mscorsvw.exe	38
PID 832 wrote to memory of 784	832	mscorsvw.exe	38
PID 832 wrote to memory of 2864	832	mscorsvw.exe	39
PID 832 wrote to memory of 2864	832	mscorsvw.exe	39
PID 832 wrote to memory of 2864	832	mscorsvw.exe	39
PID 1104 wrote to memory of 2660	1104	mscorsvw.exe	40
PID 1104 wrote to memory of 2660	1104	mscorsvw.exe	40
PID 1104 wrote to memory of 2660	1104	mscorsvw.exe	40
PID 1104 wrote to memory of 2660	1104	mscorsvw.exe	40
PID 1104 wrote to memory of 1992	1104	mscorsvw.exe	41
PID 1104 wrote to memory of 1992	1104	mscorsvw.exe	41
PID 1104 wrote to memory of 1992	1104	mscorsvw.exe	41
PID 1104 wrote to memory of 1992	1104	mscorsvw.exe	41
PID 1104 wrote to memory of 2836	1104	mscorsvw.exe	42
PID 1104 wrote to memory of 2836	1104	mscorsvw.exe	42
PID 1104 wrote to memory of 2836	1104	mscorsvw.exe	42
PID 1104 wrote to memory of 2836	1104	mscorsvw.exe	42
PID 1104 wrote to memory of 1676	1104	mscorsvw.exe	43
PID 1104 wrote to memory of 1676	1104	mscorsvw.exe	43
PID 1104 wrote to memory of 1676	1104	mscorsvw.exe	43
PID 1104 wrote to memory of 1676	1104	mscorsvw.exe	43
PID 1104 wrote to memory of 2364	1104	mscorsvw.exe	44
PID 1104 wrote to memory of 2364	1104	mscorsvw.exe	44
PID 1104 wrote to memory of 2364	1104	mscorsvw.exe	44
PID 1104 wrote to memory of 2364	1104	mscorsvw.exe	44
PID 1104 wrote to memory of 1892	1104	mscorsvw.exe	45
PID 1104 wrote to memory of 1892	1104	mscorsvw.exe	45
PID 1104 wrote to memory of 1892	1104	mscorsvw.exe	45
PID 1104 wrote to memory of 1892	1104	mscorsvw.exe	45
PID 1104 wrote to memory of 1716	1104	mscorsvw.exe	46
PID 1104 wrote to memory of 1716	1104	mscorsvw.exe	46
PID 1104 wrote to memory of 1716	1104	mscorsvw.exe	46
PID 1104 wrote to memory of 1716	1104	mscorsvw.exe	46
PID 1104 wrote to memory of 1388	1104	mscorsvw.exe	47
PID 1104 wrote to memory of 1388	1104	mscorsvw.exe	47
PID 1104 wrote to memory of 1388	1104	mscorsvw.exe	47
PID 1104 wrote to memory of 1388	1104	mscorsvw.exe	47
PID 1104 wrote to memory of 1804	1104	mscorsvw.exe	48
PID 1104 wrote to memory of 1804	1104	mscorsvw.exe	48
PID 1104 wrote to memory of 1804	1104	mscorsvw.exe	48
PID 1104 wrote to memory of 1804	1104	mscorsvw.exe	48
PID 1104 wrote to memory of 1124	1104	mscorsvw.exe	72
PID 1104 wrote to memory of 1124	1104	mscorsvw.exe	72
PID 1104 wrote to memory of 1124	1104	mscorsvw.exe	72
PID 1104 wrote to memory of 1124	1104	mscorsvw.exe	72
PID 1104 wrote to memory of 1084	1104	mscorsvw.exe	50
PID 1104 wrote to memory of 1084	1104	mscorsvw.exe	50
PID 1104 wrote to memory of 1084	1104	mscorsvw.exe	50
PID 1104 wrote to memory of 1084	1104	mscorsvw.exe	50
PID 1104 wrote to memory of 2888	1104	mscorsvw.exe	51
PID 1104 wrote to memory of 2888	1104	mscorsvw.exe	51
PID 1104 wrote to memory of 2888	1104	mscorsvw.exe	51
PID 1104 wrote to memory of 2888	1104	mscorsvw.exe	51
PID 1104 wrote to memory of 2620	1104	mscorsvw.exe	52
PID 1104 wrote to memory of 2620	1104	mscorsvw.exe	52
PID 1104 wrote to memory of 2620	1104	mscorsvw.exe	52
PID 1104 wrote to memory of 2620	1104	mscorsvw.exe	52
PID 1104 wrote to memory of 1448	1104	mscorsvw.exe	53
PID 1104 wrote to memory of 1448	1104	mscorsvw.exe	53
PID 1104 wrote to memory of 1448	1104	mscorsvw.exe	53
PID 1104 wrote to memory of 1448	1104	mscorsvw.exe	53
PID 1104 wrote to memory of 2108	1104	mscorsvw.exe	54
PID 1104 wrote to memory of 2108	1104	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_bf6a9c6f6b395e8f8b01be86eb3cdc24_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_bf6a9c6f6b395e8f8b01be86eb3cdc24_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1e0 -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 25c -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 270 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 270 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 278 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 24c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 1f8 -NGENProcess 204 -Pipe 108 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 254 -NGENProcess 208 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 1f8 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 24c -NGENProcess 208 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 10c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 208 -NGENProcess 10c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 10c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 10c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 27c -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 10c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 204 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 2a0 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 204 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 204 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 2ac -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 254 -NGENProcess 2a0 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a0 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ac -NGENProcess 2c4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 2c4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 238 -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2a0 -NGENProcess 2e0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2dc -NGENProcess 2e8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e8 -NGENProcess 238 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 238 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2fc -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2fc -NGENProcess 308 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2a0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c8 -NGENProcess 308 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2c8 -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 304 -NGENProcess 308 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 2e8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2c8 -NGENProcess 32c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 330 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 31c -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 31c -NGENProcess 330 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 32c -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 338 -NGENProcess 310 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 308 -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 300 -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 340 -NGENProcess 2a0 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 330 -NGENProcess 348 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 348 -NGENProcess 308 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 310 -NGENProcess 350 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 358 -NGENProcess 340 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 308 -NGENProcess 310 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 364 -NGENProcess 340 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 364 -NGENProcess 308 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 348 -NGENProcess 340 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 340 -NGENProcess 300 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 340 -NGENProcess 348 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 36c -NGENProcess 300 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 37c -NGENProcess 368 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 348 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 300 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 388 -NGENProcess 37c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 2a0 -NGENProcess 300 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 394 -NGENProcess 380 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 388 -NGENProcess 398 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 398 -NGENProcess 368 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 398 -NGENProcess 388 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 300 -NGENProcess 380 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 36c -NGENProcess 388 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3a8 -NGENProcess 38c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2844

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1196

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3040

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:964
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e1e1e9cd60d1e97345dd1ce9f76589e6

SHA1
e7f982eeb49f36f4a910ae5d8959e863d0db1f32

SHA256
7aa6e0e3b9a36ab2d3dc39c708e159ec1c25240fbdbb973da900be3545da1c0a

SHA512
f1fd77ec3be83ca76c809edbaa3090d3867cf41f47569003f95ccaa98c51e1047b34835463daffaa7c04f6efb7ca26302dbf6f51a0baabfdfaa17fa23bb49ae1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a1d781bdbd69e4f227e92b4371236046

SHA1
5519b662d7d435440c57c52ef596cea4afb8453f

SHA256
4c0fc7f308d9981819b553d602c238ab129368d7f4cead71e6fd1596cb91077c

SHA512
a583048d9777dc6c22187e093ef33f53263c9b3ec3f5b5415ac7863cebb42868a3546a48306a983d66f06b0b1e8fa2cecc7b754cc2397ec53c0fb51e14d748dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b2be6bb94211c9ed583aa74f3d7e55b4

SHA1
bdbe233954551fb9bfdcb3591c48bb184efb64d7

SHA256
cf6bc46730652dd80a02c30bc3441252f3fe03e86394df08f38aa77f3086c308

SHA512
d41f3323d7969381fd8f486977e84d8f95a2202cd9d9166578d64eb4c336a2be1e2744d7aec4e34b25c16a05f10eca5295d19c85bd4130321fd3e99acc94ecf7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
078a18266eb854189cdefd92bb101f03

SHA1
ea08348c5c23f081d565279b3ca4d5dc732aaf4b

SHA256
d453664f14d91bf16914cbc6ed3d3e029d9d861861b665e7261fe8bcd4107a1a

SHA512
913a04b821e5750e1e2982e810b7ec3e734e5c14c141125f250ad78b30188bea5c7846286f1e6df4a1320a480d3be1cf512b3755c3224c7972b237f9307c4ef0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
384f431809037f850a5d8dc3694deede

SHA1
be4c02388a08201a2237d2e43a84a7ea5a3761a0

SHA256
8c3581ebf3f7e1a28c884a25dd74db0afb9412fd61caaaf740f4af424efcd7c5

SHA512
6597f73d6ce5d1e909b49653b1962b9eede1223a99af51f9338d2af2ac7e44449cdec9d5e6b39fe163770480cb44d5d63aef133bd7124d481b0172360a1a8470

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
72596275a7183ecdd46258c9f37b1d5e

SHA1
9b35c06541457f6b7517261ef6a490545dd06dfa

SHA256
47c6795fb89b6e881f05221794703998d52be4e55851948dbbee0554510c666a

SHA512
bf390356fd5a22a55231bfa65e097f6a391470cda803385414ad8c8b5fe747493b6aa3af7b03acdd17aa03133a67e875b2ebfb56e04a906a410b2cb95f886525

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
723dbdf9e92507e1744b20ec15b8c20a

SHA1
31d44f6471692f30f14e9873cea21096a30d07a5

SHA256
1ca581bbe97819df81b25068ea5b646f5ea50c08fa6759e032f1031fd2e78ce4

SHA512
b404656ce6bf90c86992af98ef97ff2b475796e62d5047022661a7061a0ff03d0174e43f3d8b3e769fb31e3b9360b8406a58a920ed63e2eba9b89116153f0768

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
03f3baa2c99bac00c48c87b65a428e8b

SHA1
cbbd0470ebe0b540396b5471ed5ea5b71f263dfe

SHA256
20bf3f14c443c7a250bd40df42ade290089c8912c869e3ae3ca595482ad18a79

SHA512
4c796045c9b51c4f99c018c28b3b540fd9146d78037ec8b39a2eb34b8b36a6cf1f10927c00d82d07d35e357b5d67e46a8effe9ecb6e4a23b086b513ab7e2c57e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
381ed0e6513e3aabe048ec423dc254cd

SHA1
59caf817868fbe20fd515b146718e61a89c3da72

SHA256
a73bc24c18a9ae1ce80890b3f6921b972bbb39f6f559377cb5f4b40a50e4a143

SHA512
f8b90cdaa2943241cabe2f0c886b5fb649fa9cd3667d1fba5894df50c3817586e10e69ac845120d351635c9aa435bce21e25c2fde005ceb8f4d18c4dca2cd764

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bebe0af859b91a8be743ae5c56504991

SHA1
e9d8e9eec46d18a47ee56c5105db428f60945d04

SHA256
aea1d55a5c73baeb6e11674dc87b99463f847ca4038fcd54879569134b5c1704

SHA512
4b85d8a8ac3677cdcf143f4041610e1949643db4d3fe5b21755b7ab52e47bcd23334f162ef8a1736db3e5f6b5958beaeb4b596a81b5339cfe7f8863a28a4161d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
dc5d0609f467fecbf992d0bc22b4151e

SHA1
e7718ceab03c67a8cc769acf5af12d3feb1cc212

SHA256
d9788143d45e098748d97dcefd751bfbf88951ff14ce98461c2994ab43cddef3

SHA512
c5a39d46c001fe7c7a0c6dc94b76f39cc5013eb197d62a907b4c4e2e88958a8b4bded2d724a8dd8a8e4d2d52f23db8ffa742b6fa6a6691f82666789244c6772c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
7dc05f2701095c2d9e7f2a4bbcf087fe

SHA1
eb5d7c8745e6b7e0465e704d6f39addfd3a06ba6

SHA256
7f215288ba240d5f0565a8e998ecfc1bd32aee2e274f2d29a4437adee28f293f

SHA512
b36c5b03ac04ac0529ebfdadc96e4247213fd57489d51bc995d7d79bb24d1bc4b10a0028d5c077200e08841c8576e6d93b16c22f04b5615ee0e2d45478d6a241

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
47692ec0d62af9f614d05f0701bd8619

SHA1
66b2b9e3c2bcd76f9ad870d3dd96692767f9d3ac

SHA256
6dc8446f26e5d307f0e7f67dbfa87e876353c45e4785ef00c07ea0b6fe8b2f14

SHA512
e037ad6fdb432a731c6970759ee18fea550c35ee059341396915b03e2d33e7bc8b0e734742666af1b4df7e8b0b6a2226ee44e1a17c66c6ab2f6adc8006d6b180

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
61496b24b4ca874f3cb2d02e50c21037

SHA1
c83588042829be413bf0485183eb1f394d053c7f

SHA256
91cf905b56e0390d63d9479eb957cf9d4c6511123dc1bb940dc4a5a67ae1cb59

SHA512
82eddca4b6079977c07def6772427ba9979277fe3c76464ebc1fda94b4c7a7ba931636c6a127b38e75a7c66e193894885b52921a6eab72b3e29aa02c63850615

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
7e0393d56dee5ac84000750d8dd8885d

SHA1
00a38e9b0628f70ca5ef33f53ab4c265e5c06483

SHA256
31df295c9130b7c429a7ec433b00d3ebaf49fbacfdd819f3a9ca71eca4d01414

SHA512
e4505e73c45203eefebb59c313d73d6d8cac34f0f9ab69a2f1802546bfd1cbb3eab5d1b288a2b08aefe0b39ddbe9fa6a9010ca2b83632ddf7a1107b21e2ec4f0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
0708954bae42bdd443c28206298daaf8

SHA1
1ffc42acbcdd3b7852eecd61994722736c9e2fa8

SHA256
d6bfea9196004002024cd874e6583cd54615a6b5a1101d6e5078f940b25ebd25

SHA512
b54040b359636c524630ed14060727a70c54c022a6636556dac0a042a76e49c40a0216ca18d72c501be83ea0b46a97bbac8555a084c8b32af1ded9d4ea73a4c1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
43825e84fe6921e225d0d761154a2a8f

SHA1
df69ffe21d617e10f5f94d6397dea545cd3ba3b1

SHA256
b8f2a83114765d5c92df34988acc2031a1d0b8c4adee1028d55be73b7bb99ef0

SHA512
bd28ec4ce9506ad55f85cf318683863610ff0a2e1e68027a1ea4b4336d6405ac8104a16b150b9be71cb231b06ab3503dae3fe2b3d9e5fa5dfa04f344b18e2f77

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\02c548309b5c7eea1353a026f49c1be0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
8b53110c57630e8be32662da62d0c813

SHA1
d1c0e8a09501aa9463b764128851823b99bf2db7

SHA256
31d893614d4a0be1edd987eabd9215815280bf784612d70300d228ce43552bb3

SHA512
aae1b6296cb59dc6351b71a1bb6bde2060a2b8c10689af093d950ff5a0b9cefffdc7bfb74db8a857facf910f28412532d18f5c4602afa3ceed19f70d7b58ca95

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1c2fb9424d4414d624c53684f0294ab8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
638deacd47c9c3d1d14c0ae4c94813be

SHA1
e178400ccb8241603ea4638554d709a101c2bf3d

SHA256
a41e2b91f5c3929a6be2916659d60ceee9ffaf3d6f8e4133cd6149a4b082f9fe

SHA512
fceb468e38058e2276977c346b22632b61add6ce742deb6acfbbe2108f583c0553b0747b77f215db42b91dcaa2d2fe0eee78cc95a0c26c8349ab9d79031622ec

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1e8f3a43fa72aa64ff9b9fb469405697\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
998d51e5bb80675a72349193713e5824

SHA1
a9ff062b8bb380c3df0f70aac2d878f5bec169f3

SHA256
a5d4771b9ae1f7f272c88142446f1e5a0dec7087442b105732ff7b1f40034869

SHA512
8fcdd94480e9e4e6c615ec6b4313f92e712a7980f53cea215f410dc1d7abde74119b779e8c3d2272e7be7de510ac384cc985fa6e59e3e132176203ced7d88ff0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\792ebfd60bd4833a71a0a4e98f0afd06\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
20fb388e62fabb106a245dfd7978c38f

SHA1
26f332574df8b097b218866e3f66979fb5b822b3

SHA256
1ac2590f9779a88e0724ea9d1366bab805c7902f4f0e78eb8f0e6b4e1312f759

SHA512
4fe38dd1bf167f2552c218c44e9dc95f46a28d8e2577e6476a53002a2a43599e99cbe7655a69b11bab3005dec2d696376d2501b809ec8ad4a7d8f9648f0745b7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e6e6ceef781c52a00b9a1f55a6f38bac

SHA1
949ea62894be614e7195aa27761d1c8e91217117

SHA256
a1dac9b708fa32e93b390b3a2fba7a8eacf32b1cd90a05271d0c50468dcbd0e6

SHA512
71c65e9b9463cfef579a5cce7f417c6240078c2899aa89cb11b12978e9b905d6df28fd73e0d193b2661d8b675ffebe2bff1181d4ac41a34da4fb0e6b1fa9437b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
cfce6e8b8b42d5348d8c99e253ece448

SHA1
b6466372e73a9309f7edaefec5ff9ff05e7d2667

SHA256
77857bfb85d970808aab8b7afefae65d3e2163d8386acb92077b4df4063e37b3

SHA512
ea6e1b0722009c60a1528e01dced9f3cf749f9123b5511a5c384e77d283e3caec39161e6cbf5bd36f1d92fafda96c73d17fc50ceec61fe0196a43daf281ef5e5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
4b2d6d79d91e126f9484d1f1d1488c6d

SHA1
2be8667897c91fd9e6e86a19e4e3b61ce5ab33a8

SHA256
0b1a8d4b57b9488aacd73c8853575aad28927ee6e2202f030ccf9f40b4b4d966

SHA512
bb67bc7f6812269b73b6e5e4b4b458d684858d5c9026795f35886cb7e1b086f55771ea47fca434c1eb0f09fd6222d28c71ad582f1ee91cbdc8338757888adf4f

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
7bbf7b8b0a80ceb5e4902041ec9f6a1a

SHA1
48fbad3d83bc60a0d727a6794eda6f57c2d0d9d6

SHA256
66207f49f934878b93e35fe432e4e5363e41a2e343a9a87cf0fb6513b2e4acdc

SHA512
a1115e65b978b5ba543c93419e55aa4e2e9ebdf3dceb9cbe8e61e3da2770bdd18d1acb9294b02bcedb20b4830453b7cd33c345b5cd5a1ee9292f1a105437175c

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
92320f5a987e7291c6868b4c977bdfad

SHA1
cd73a27b2c96e78bafb6ba1121f46a98c6e1fde8

SHA256
3c8ec1093051ada8b7477699048016e0435153b7f66c12935d533e56e2e96f2e

SHA512
438234df0291e5d1941425beaeaa0b172a231ac6158862210325863c2c3825701ca3050a59bef2187b6b242339f39fcde470dcc00da3f938de1ac31c3528a964

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
ab556a16d3008e4c96a9f731375efec1

SHA1
92d1c5d4b62b9c19e200e500a0b3bc8d30cb29dc

SHA256
a1b99fa5d46631202784de0404fce424d6fe635ec8cdc8edef61df5b399b68a7

SHA512
28869864349368aa40cc364f399ee15b6cd12bbf3f62a5dfeccb4ff0792a3efeb1454802f89095500fd9356db1f806c0d1e264372b32547cc3eabcaa7fd79001

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
43c482f92dad8b875996c541eeee705e

SHA1
4a4a35e49d07084bcc6e5052f82ced7e61840178

SHA256
7b7388401923626a7552576f80b7f37fbc0e1c0368dd208d24a32592ed0869a5

SHA512
d33154b8a92ac6e806b52cfa3466fa50e5175d8bf43abc4c67465faa3c634079a5bf94f349c3c196811cd010df9e99b28a1abf95c39b903194fe67ce353ec491

Download Submit
memory/784-284-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/784-256-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/832-331-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/832-59-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/832-60-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/832-66-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/936-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/940-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/940-529-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1048-922-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1084-443-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1084-430-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1092-602-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1092-643-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1104-301-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1104-52-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1104-47-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1104-46-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1124-689-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1124-432-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1124-811-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1196-619-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1196-501-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1196-726-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1292-540-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1388-409-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1408-109-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1408-108-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1408-368-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1448-470-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-909-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1572-891-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1628-773-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1628-933-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1640-794-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1676-359-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-397-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-377-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1804-420-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1892-384-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1892-371-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1896-640-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1896-745-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1988-905-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1988-748-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1992-318-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1992-333-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-513-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-502-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2108-483-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2108-479-0x0000000003C20000-0x0000000003CDA000-memory.dmp

Filesize
744KB

Download
memory/2116-762-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2116-921-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2216-783-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2292-573-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-361-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-374-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2380-563-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2396-104-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2396-96-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2396-103-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/2396-118-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2400-906-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2400-912-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2408-629-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2408-582-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2532-656-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2532-758-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2588-252-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2588-35-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2588-34-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2588-43-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2620-460-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2636-934-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2656-712-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2656-881-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2660-309-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-321-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-8-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2732-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2732-1-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2732-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2744-28-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2744-26-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2744-29-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2744-207-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2744-20-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2760-709-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2800-772-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2800-793-0x00000000004C0000-0x0000000000572000-memory.dmp

Filesize
712KB

Download
memory/2800-686-0x00000000004C0000-0x0000000000572000-memory.dmp

Filesize
712KB

Download
memory/2800-677-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2836-334-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2836-348-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-81-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2844-335-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2844-75-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2844-82-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2864-278-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2864-291-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2880-548-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2888-454-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2936-91-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2936-86-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2936-94-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2936-360-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3004-735-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/3004-890-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/3040-663-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/3040-771-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download