36939fb28c9c2117e0df0feaca414d8a1d57bed3b0a2ab6525286aa326479266

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9056625556676a1d76c594b07af8c0N.exe
Size

1.9MB
MD5

0e9056625556676a1d76c594b07af8c0
SHA1

213b08f4c2626873ac4bbce077896793df0fb739
SHA256

36939fb28c9c2117e0df0feaca414d8a1d57bed3b0a2ab6525286aa326479266
SHA512

6af8f76065645d9ec86cf00e6fff7793fb1848a7b5fb8b90e4d8a0d4d98e1799cf2e3e3ed366346bd613bd90f3d4e6a2663768dc06d104520236d8343f900c21
SSDEEP

12288:1dhjo4svrLzxAUMPa76huDeegxo8v3EdlIIDPa7j9aaV+aXXZdceRWcDq9UzNtsz:cDMS76huDyqmERIk1k7c+vDqGJAAg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
2712	alg.exe
2884	aspnet_state.exe
2236	mscorsvw.exe
2924	mscorsvw.exe
2692	mscorsvw.exe
2344	mscorsvw.exe
620	ehRecvr.exe
2976	ehsched.exe
1216	elevation_service.exe
684	GROOVE.EXE
2184	maintenanceservice.exe
1604	OSE.EXE
1904	mscorsvw.exe
1952	mscorsvw.exe
2808	mscorsvw.exe
2388	mscorsvw.exe
1648	mscorsvw.exe
1748	mscorsvw.exe
688	mscorsvw.exe
2928	mscorsvw.exe
2920	mscorsvw.exe
1656	mscorsvw.exe
2044	mscorsvw.exe
3000	mscorsvw.exe
2248	mscorsvw.exe
2904	mscorsvw.exe
2564	mscorsvw.exe
2032	mscorsvw.exe
1556	mscorsvw.exe
2472	mscorsvw.exe
920	mscorsvw.exe
2572	mscorsvw.exe
1724	mscorsvw.exe
2820	mscorsvw.exe
2240	mscorsvw.exe
1432	mscorsvw.exe
2268	mscorsvw.exe
2932	mscorsvw.exe
2364	mscorsvw.exe
2192	mscorsvw.exe
2856	mscorsvw.exe
2748	mscorsvw.exe
1564	mscorsvw.exe
1572	mscorsvw.exe
2892	mscorsvw.exe
2356	mscorsvw.exe
2452	mscorsvw.exe
2824	mscorsvw.exe
2680	mscorsvw.exe
1668	mscorsvw.exe
1172	mscorsvw.exe
2432	mscorsvw.exe
1592	mscorsvw.exe
2132	mscorsvw.exe
1660	mscorsvw.exe
884	mscorsvw.exe
2560	mscorsvw.exe
2408	mscorsvw.exe
3060	mscorsvw.exe
1992	mscorsvw.exe
1924	mscorsvw.exe
2364	mscorsvw.exe
2192	mscorsvw.exe

Loads dropped DLL 44 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
2748	mscorsvw.exe
2748	mscorsvw.exe
1572	mscorsvw.exe
1572	mscorsvw.exe
2356	mscorsvw.exe
2356	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
2132	mscorsvw.exe
2132	mscorsvw.exe
884	mscorsvw.exe
884	mscorsvw.exe
2408	mscorsvw.exe
2408	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
2364	mscorsvw.exe
2364	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
940	mscorsvw.exe
940	mscorsvw.exe
2864	mscorsvw.exe
2864	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2892	mscorsvw.exe
2892	mscorsvw.exe
2836	mscorsvw.exe
2836	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2132	mscorsvw.exe
2132	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\c012666d264f17b.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e9056625556676a1d76c594b07af8c0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e9056625556676a1d76c594b07af8c0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	0e9056625556676a1d76c594b07af8c0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	0e9056625556676a1d76c594b07af8c0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2D96.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP310F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6078.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4BB0.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3F61.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0e9056625556676a1d76c594b07af8c0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0e9056625556676a1d76c594b07af8c0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0e9056625556676a1d76c594b07af8c0N.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3469.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP68D1.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2472	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2508	0e9056625556676a1d76c594b07af8c0N.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeDebugPrivilege	2472	ehRec.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: 33	1936	EhTray.exe
Token: SeIncBasePriorityPrivilege	1936	EhTray.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeDebugPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeDebugPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2344	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1936	EhTray.exe
1936	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2596	2508	0e9056625556676a1d76c594b07af8c0N.exe	29
PID 2508 wrote to memory of 2596	2508	0e9056625556676a1d76c594b07af8c0N.exe	29
PID 2508 wrote to memory of 2596	2508	0e9056625556676a1d76c594b07af8c0N.exe	29
PID 2344 wrote to memory of 1904	2344	mscorsvw.exe	44
PID 2344 wrote to memory of 1904	2344	mscorsvw.exe	44
PID 2344 wrote to memory of 1904	2344	mscorsvw.exe	44
PID 2344 wrote to memory of 1952	2344	mscorsvw.exe	45
PID 2344 wrote to memory of 1952	2344	mscorsvw.exe	45
PID 2344 wrote to memory of 1952	2344	mscorsvw.exe	45
PID 2692 wrote to memory of 2808	2692	mscorsvw.exe	46
PID 2692 wrote to memory of 2808	2692	mscorsvw.exe	46
PID 2692 wrote to memory of 2808	2692	mscorsvw.exe	46
PID 2692 wrote to memory of 2808	2692	mscorsvw.exe	46
PID 2692 wrote to memory of 2388	2692	mscorsvw.exe	47
PID 2692 wrote to memory of 2388	2692	mscorsvw.exe	47
PID 2692 wrote to memory of 2388	2692	mscorsvw.exe	47
PID 2692 wrote to memory of 2388	2692	mscorsvw.exe	47
PID 2692 wrote to memory of 1648	2692	mscorsvw.exe	48
PID 2692 wrote to memory of 1648	2692	mscorsvw.exe	48
PID 2692 wrote to memory of 1648	2692	mscorsvw.exe	48
PID 2692 wrote to memory of 1648	2692	mscorsvw.exe	48
PID 2692 wrote to memory of 1748	2692	mscorsvw.exe	49
PID 2692 wrote to memory of 1748	2692	mscorsvw.exe	49
PID 2692 wrote to memory of 1748	2692	mscorsvw.exe	49
PID 2692 wrote to memory of 1748	2692	mscorsvw.exe	49
PID 2692 wrote to memory of 688	2692	mscorsvw.exe	50
PID 2692 wrote to memory of 688	2692	mscorsvw.exe	50
PID 2692 wrote to memory of 688	2692	mscorsvw.exe	50
PID 2692 wrote to memory of 688	2692	mscorsvw.exe	50
PID 2692 wrote to memory of 2928	2692	mscorsvw.exe	51
PID 2692 wrote to memory of 2928	2692	mscorsvw.exe	51
PID 2692 wrote to memory of 2928	2692	mscorsvw.exe	51
PID 2692 wrote to memory of 2928	2692	mscorsvw.exe	51
PID 2692 wrote to memory of 2920	2692	mscorsvw.exe	52
PID 2692 wrote to memory of 2920	2692	mscorsvw.exe	52
PID 2692 wrote to memory of 2920	2692	mscorsvw.exe	52
PID 2692 wrote to memory of 2920	2692	mscorsvw.exe	52
PID 2692 wrote to memory of 1656	2692	mscorsvw.exe	53
PID 2692 wrote to memory of 1656	2692	mscorsvw.exe	53
PID 2692 wrote to memory of 1656	2692	mscorsvw.exe	53
PID 2692 wrote to memory of 1656	2692	mscorsvw.exe	53
PID 2692 wrote to memory of 2044	2692	mscorsvw.exe	54
PID 2692 wrote to memory of 2044	2692	mscorsvw.exe	54
PID 2692 wrote to memory of 2044	2692	mscorsvw.exe	54
PID 2692 wrote to memory of 2044	2692	mscorsvw.exe	54
PID 2692 wrote to memory of 3000	2692	mscorsvw.exe	55
PID 2692 wrote to memory of 3000	2692	mscorsvw.exe	55
PID 2692 wrote to memory of 3000	2692	mscorsvw.exe	55
PID 2692 wrote to memory of 3000	2692	mscorsvw.exe	55
PID 2692 wrote to memory of 2248	2692	mscorsvw.exe	56
PID 2692 wrote to memory of 2248	2692	mscorsvw.exe	56
PID 2692 wrote to memory of 2248	2692	mscorsvw.exe	56
PID 2692 wrote to memory of 2248	2692	mscorsvw.exe	56
PID 2692 wrote to memory of 2904	2692	mscorsvw.exe	57
PID 2692 wrote to memory of 2904	2692	mscorsvw.exe	57
PID 2692 wrote to memory of 2904	2692	mscorsvw.exe	57
PID 2692 wrote to memory of 2904	2692	mscorsvw.exe	57
PID 2692 wrote to memory of 2564	2692	mscorsvw.exe	58
PID 2692 wrote to memory of 2564	2692	mscorsvw.exe	58
PID 2692 wrote to memory of 2564	2692	mscorsvw.exe	58
PID 2692 wrote to memory of 2564	2692	mscorsvw.exe	58
PID 2692 wrote to memory of 2032	2692	mscorsvw.exe	59
PID 2692 wrote to memory of 2032	2692	mscorsvw.exe	59
PID 2692 wrote to memory of 2032	2692	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e9056625556676a1d76c594b07af8c0N.exe
"C:\Users\Admin\AppData\Local\Temp\0e9056625556676a1d76c594b07af8c0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files\Java\jre7\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\0e9056625556676a1d76c594b07af8c0N.exe
  2⤵
  PID:2596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2236

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 290 -NGENProcess 2cc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 280 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 290 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2fc -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 308 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 274 -NGENProcess 308 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 274 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 314 -NGENProcess 2dc -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 300 -NGENProcess 310 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 274 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 32c -NGENProcess 2cc -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2cc -NGENProcess 310 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 274 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 324 -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 314 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 340 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 32c -NGENProcess 2cc -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 344 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 340 -NGENProcess 34c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 238 -NGENProcess 204 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2b8 -NGENProcess 1dc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 204 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 1dc -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 204 -NGENProcess 1dc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 2d0 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c8 -NGENProcess 2c4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 1dc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1dc -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2e0 -NGENProcess 2c4 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2bc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2bc -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 310 -NGENProcess 300 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 300 -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2f0 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 320 -NGENProcess 308 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 308 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 320 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 330 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 30c -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 338 -NGENProcess 2f0 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2f0 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 340 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 308 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 348 -NGENProcess 330 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 344 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 308 -NGENProcess 354 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f0 -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 350 -NGENProcess 35c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 35c -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 34c -NGENProcess 340 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 364 -NGENProcess 324 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 324 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 36c -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 36c -NGENProcess 324 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 330 -NGENProcess 340 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 10c -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 37c -NGENProcess 108 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 330 -NGENProcess 354 -Pipe 10c -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 370 -NGENProcess 108 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 380 -NGENProcess 37c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 354 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 324 -NGENProcess 354 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 390 -NGENProcess 384 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 38c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 394 -NGENProcess 390 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 108 -NGENProcess 38c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 3a0 -NGENProcess 324 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 390 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 108 -NGENProcess 3ac -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 370 -NGENProcess 390 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 3b4 -Pipe 108 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 384 -NGENProcess 390 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 324 -NGENProcess 390 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3a4 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3c4 -NGENProcess 370 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c4 -NGENProcess 3a4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b4 -NGENProcess 370 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3d0 -NGENProcess 3a8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b4 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3dc -NGENProcess 3c4 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 370 -NGENProcess 3bc -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3ec -NGENProcess 3d8 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3bc -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3ec -NGENProcess 3fc -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3a4 -NGENProcess 3bc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 404 -NGENProcess 3f4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3fc -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 410 -NGENProcess 3bc -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3d8 -NGENProcess 3d4 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 414 -NGENProcess 3a4 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3bc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3d4 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3a4 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3bc -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3a4 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1092

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:620

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
38e08b7a48a47d841ec88c9fe2b2ba32

SHA1
3df4baf2b975c14b1d6d44d1e44fdb2d477a0900

SHA256
3135cb308bb5ab9a56c85ff464a70d3f0f7b43037b8c8f03ae7694d91f6ec3a7

SHA512
ff724f0373d3fd4f35c5f051297ac8ad0c002e82d151f7700840a7a881a0ff33ffe265a32c07f0147a13d12b365a4add824ee792539b26a1f80e7e98feb25574

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
fd020532d47952263b4c981b2ae1709f

SHA1
710b87d9f7c692941355e409ec4f16b1db6e5fc3

SHA256
9056d33ea8272d098200b92937cb7a788072798251f9c04276c726d7722dc31b

SHA512
c3efa6ad3135445da41975fe2d7f9655cc4d0006ca5aa5aba6b5c6040d648f41c38b5b5f90372c3d7ff985d0dd5ab4748eeb39bffbabc7bd75d04a5b800a2305

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
a2d63110089921f2acff3e7295e22a6e

SHA1
755a76b4624666545fad1053ac3f2b89c98dbb39

SHA256
9bddf688bfefeeb56e2e65a150ef2ff9ec4adf675da8bf06563e492a7e3fd866

SHA512
3a888668c2ee2ee7bb10f7c7ce26c51b1e6c99bca8b5ba609f6672a110415e58c763565439ccc32b823b96718c959848aaedcd7e4ebb3ed1eed5d17ae43aa171

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
680a1f2070e22093addeabd23306814d

SHA1
25633d25e84cf6b57081121251147b0e9071600d

SHA256
db8b641b2a238222654a394f98b92df269628deba24a6c877a17adc0096bbd6e

SHA512
4ac4f90aea82aa09c70f7546e0dfa6417ad78a1f4beaebb98c0da1d0c16e33f7922e6229d0a471d97a4cc21ff6bcaaada707cd3c218a43a148dc0ad44ea65fde

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
499e38ab34463b61f094b296b92e1946

SHA1
c59ae0279d1137cde6a8e89411552b457aebf1a0

SHA256
d90eb4e835f8128b8f408f4a7c23dfbd6fab55e80f35b3fa9fb80ddeb4988242

SHA512
db25fa587e614f53f2d22f64f01e9b6bfd186acfb0876f04596396a56c044eee79bca45764ab2d8b982716353d7d3389d3da8b42d67523783f542867770699dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6caf80199977358e6c7c08593fba5003

SHA1
6b370cc908bf105930f848f8812e056ad8116847

SHA256
7df3aa43359b7e9b0d29fa0896d200d8a934063547c844f328afbf7a704dbb44

SHA512
435bc2e3b89d3afadd2f226e46f7897f2c3189cfafe55e2336561b816b78b8f5cdd3ed983b6b53925b938371700c199b463cfefaab4e2ddac52d6aaf579be14c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
129a2cf424f43ea3b66ab7b03592fbaa

SHA1
bcfd6ce1837f93a896b5c10a51133e23ab0f037f

SHA256
23f4390f062bdebb41b93497f103d672134180c56221eb24629feeb9c766bd79

SHA512
11d4149681396b2a4800c5469a1090d5dda1d799f9e04cf154873de8de85a9c8a4b271c5c7cf7f856fa957250b718207edce99e893c28181625851b9333da14e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
256f4e8b744a964b90a252cddaff8c1a

SHA1
be5096140379b2a92a85a70d14e4ed27f7bfd6a0

SHA256
4f81f62caa709d7e0a04e14df0c4a1cda1141c258957220bfc224ed10451278f

SHA512
d5511599948ea646eee236f5324c2e7d41e8600f5016af14b43089be48ca9dc02730e6f8bd4a4f3addb6a4984ed97d39b9d3913cf9270510fc8b804456914568

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
befd6a7fac75e004464dc71f75353049

SHA1
d35e45097a5602e88ddb8f711c8bac94983f3efc

SHA256
8be2aef33c7bc32b1157b569ce41a809fe89e02e80433d2bb53bc9ecffa79c28

SHA512
36a1846a277bc61a4fb33eb60aadd6bbe7e740b0320644b571b4b02e1add0eedd06312e1ae2601c2280c44c450388866b33978a0bd3145a3759756ac1bca4c4e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b60e1cc1318861cbb09d118ca1452ab8

SHA1
81e0bab514ddf195e20dcc94864095fcce2a74eb

SHA256
569ece21b06e2278fa83be7758e9f82d3e60641da6b969f928abb91a01e411f5

SHA512
d5cb24418bac0ad66f375eb13727d002cee24b60a105e6ccec2093cae29c5d4af072c97655ec0bac8bb77aa37690cccca04297c1631b3c3d561c72fbb6734ca7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
553e573b7900e7b55ce179a52f858fc6

SHA1
d878ad4a2505f268d7d8a162010f16209c469c75

SHA256
e2e7d6fea59f4f79cf207bdff4ae2e8017e4d491de9401d1690b271239e34779

SHA512
1e2be3ce7a3842fcb885950ab292919805e05a874618010abe6c499d57b18c20e491c76e0ef8683252cc06f69c1c198dc9fbbfede56dc87bcd3abbfb3c9afcd6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
680e727d9e180152f81d0ae56e1519aa

SHA1
ca882da0c95a5bcc31764c14c38dd4a30778b260

SHA256
3f5daa84af28754c86585fd09c30cbcaae94999281cf432c6fb4c2088e4cf437

SHA512
dce3fb3689ebdd16fa749ba5adc7fc2f9c03a55eb28b1619231433b7c145473fbb8fc428dccf1dee14ceaac3bc75420e3d7102f8c5f0f0c7f647ff98275b5bfd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
3d94533053a9a34e77f03ced4cc31eaf

SHA1
13c1d2289f0ae4a832de69851f5c26af05f71d28

SHA256
7399e55dd9e2127a878c9dab76f74e749ebc2b252583efdd9abe7cf37047ec00

SHA512
27dfa5a7addffb19c5d429b7320106f3ef1bc8ae31c75fad80558eee66753de0b7edb0a6da58c306160621d48aa1e1f3988a7c765ceb811a33e6c0728936a2c7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
6f2b228f2e6800b14f39f2649cd03c0a

SHA1
9eb69877f4d82fcf2718ce53275cc5fe60015e4f

SHA256
05326fac75f87b872c511e5d33231ce90daeadb3583bdac70056b2c1da8c485b

SHA512
06aad5c29fb9429d3f3cbd7f73866a84d0385ee00318459a88cc148e5b23093ab46c92d804620e3c0627fd8cd1e07699268601f521212a2ffb611e4d604d3daf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
757a910f43de9ada5d449c57bd67b065

SHA1
66a7aeb85e9a1c3d8f35d8bcf096b51bde6d6a68

SHA256
6abc0eb00e12c3b620864f8932d656bde80d04e07d9a3a7a8b93d337c2c21bb7

SHA512
130b7c6a41d9236c6991210ce2041957e9a22f99eeb30a28dd66642cb837e8824347d715c5c012e69d4aad0b157f78bfda0afad3c1737d7628112759eaa2fd20

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
8d015669ce3b5d0748981b4ab12fce2f

SHA1
936b315030a7f43ad3e84ea94b0635a229c5e3e6

SHA256
cf2c2b385bb4a5df59fcca55f971684820d5e7d40af8415e829aaeb6a076def6

SHA512
ef9c739d69b34f0322544beb08aa60c5f507f26c2acf6a87c29b807409bd0911584131b7d64deff4f195be5c5e3eef7931e0ce5638a278f3312f970f99052038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a969ab228544a75b401b25ed1412f692

SHA1
1d5349baa055c53957b53ca5a7d02ea45c94b193

SHA256
d053d8a3538f6eaec80a54ad9657aeb9a0997aa4eeb5d6fac3c3e135c335df15

SHA512
3a4c5d7414766f5538d833cf9d4b1778ae8fb16f9d6781a81fc8128cccf6c8c5d66550732fe1fdd400d2f59ed5387a2a1672655842eab15d1f98dd8ba002f94a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
0d2dbb1fd062432bc334f898f432ae06

SHA1
c1050e921f5d657eb63faeae01125784c7fb07c7

SHA256
a19a1743d114f9e4a76db360f3a62a20f0be5f1ebc48142e34e26e906a0c1a6d

SHA512
53936a64fac8cbad628845c57389950bd837281e575ca616872bd1b3961338172ab9eea8494617ff1e431e92122629eb34edbc2d67d63e22febeca07dbc3e786

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4574c9fe6a3fac48a64859d48638fcda

SHA1
79dc5f08dfeabc51bbc7e7f90ae47ac786f8f8bd

SHA256
6db424208749d1ca53820c589f2e0f66284ef934333551ab50861d0bd3dc8a8f

SHA512
6bf95eedfe5611bbc6ef6eddb6247d51c8e22b3a1eb9964949d578a46ae58d2a44e9da52543d9a75daa6f02f2031e7b8ddeaca9fb731b9864d2515f729d5cf7c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
b94a05affade04daca8ae461c94705a9

SHA1
b3373ba472e0ade0446bf87d621c8c0914d28001

SHA256
aa09fa57bcf42f5877cc4fb56d0f84e307c976e272eb69bdc265945c3818b1ae

SHA512
7edf44da04af7e5afbcc72fbbd12fe20186fd95e6ac9d2ef1f574d834a9377b89fa5e10ebc95a8999d5023192d65ab69a7f2f331689b20b2f2549790052d52f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
96066df600c811c1bbc1bb32aca7127d

SHA1
b90e3bf4d88b97061c6847c1c3b69af082fa6842

SHA256
620b54e9034b6521ff402d2241c2709951e989157cde2bf8a1be3070bf65e5f1

SHA512
d259922b3ad93dec84c7b0357d3dce92b257cd06257bb2346d3fc3293b4381a94a76709d9025686b53996bc323b7fd288a4cc2bd96d3194ba3ddb5cd3cf5e5ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
2adadb376ab919b8c2ba62989e6c8756

SHA1
dc4ed1ec2d3d4c20bea49dda02b92125225126e7

SHA256
0fec96cfc341ebede4ee34f244bba1e551b620ca4aaacceac306dc61fd61592d

SHA512
e4e84804e98280db0fdda513a880252e58eac0992420c787ebb7b52ca495ec55203400fe060c22a6c71765209e5278c73edb81008febcd248840e9a93ff8df9c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\c012666d264f17b.bin

Filesize
12KB

MD5
70c04177b19c1faafac460618df7f862

SHA1
1a77cd7219f1b970e8bccdedbe29bbb6a72e0919

SHA256
47bee369def62f5f72c2f9921017205c8debfce26e4696c699e6dbd8e772d8d7

SHA512
87c793245e90b18413e71a5e239361a990cbcf44500d4dad5599da013e0321f6bc96f23b717249372ec35c141c4e90289a60378cf0e8fae365bd24eafa511e2a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
7daaf21aa1340912f83df4781dee7a08

SHA1
6452669ace706f1fb6b8be3a320535cf68a9416a

SHA256
f7bb3298982194f1c31d5cd0e1e1cf6cc9fff36d3b75764f087e1b7d0c9e5d15

SHA512
447ea92574abed6b5566f265f8f4eb562ced06bb4eb5cf9fe9f54ab1ee2ed368d0475193944adf76864369177c42d5d69a54f0ee002bb278a239da7fa7ed5470

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\39f452eb45e797454424816be7a94f95\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
802d72f42bcd4b4aeaa535337b3da2ac

SHA1
4f6deca23cbd4c308e1cd1be1ebf0d04174239f4

SHA256
516f537d97888978e10d85b2ba343b449c0dff1b92aba054049ff013eea7062d

SHA512
01146e06b080141536182b09293966e7bd58fdff311174838baa7e99aeb78762e10e761efce09ab1164e9cbb7598e18780cbeedfad47e9de594911dea5e23377

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5e0e39a992c1b56f5e670eb80f912388\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
da0d13ca1b2fc653a6b72fec29b88634

SHA1
49dc51691fe967c445ec86dc028c387d7141ac9e

SHA256
3e625a38cd67e4c67cf1046bfc40c2a8a36102903f7ff345d00b84ffc03c07d5

SHA512
699feaa31a9dd07188c2fd2de42899499d8c01cc8deeee727e5fd08e31ca49d222e128e23e633e0b00b75bac13057d1b8b09519cbee6d4c7a6951b05e4ac3ca4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\60352221e61a4451e732558071530428\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
a9b2598c4536fc8fa6afa992e8b69f47

SHA1
633eb71ce66ffe41a6de6b1151c04756bd7203fb

SHA256
541609962f11e490ce646a521805b03158528616c60b3a1fb68f9890e91146ac

SHA512
e90dddbf628e5caca0ef0fa9a606e195788f76b091b32e208ecda085f047f7470115b73ec45e3d6a817d9246a1f30b4701e4f80f110bb69f90d437c359727796

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\db1332d4c4cddcd98a046c16d42719de\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
4701cf0b6c03b96d692e45af21c863d0

SHA1
e2936f773aee1f6e0bb178ecc16e92ce59356d7e

SHA256
9c8be4f1ca19b13cfb7ea9a67acbff7362b2d6060943cd61bf59bd6790d61544

SHA512
9aa5b5fad7097d4cf4a0de26cb45d7b59876421c3e78642b93c84925e3eb682bdee8131887125ccee0e38763567862eaa1953725456972099580c5aacc0382b5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.5MB

MD5
0d3bcfa6b1a3d72a21d50373ee40f62e

SHA1
5906de3cca2129825bb40a2b607c1046f901ab1b

SHA256
44708ab001b3d18ac88e6293a14bb797eb1af7fdd5a77adf774f56c7eb9651bf

SHA512
bb40974bb93b35b2f4b5f5e90dbca040bdede4f48fb44e2fd68a8fd7d35b7a7b42c07732656b07098d40e8091497aa5f89a360d885b8a2486f8786c15758d97c

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
68edea558015fcb113173530b84485c0

SHA1
1076db98929c87779cf594b4e5e4a4e13de97e26

SHA256
d87c077199bfe291e6ea6d8cb0fbc71110b39ee8edd468c9e0d0e9284d1f9e1a

SHA512
117bd32b5f0d242a3ecbccf3aa9b630a9cc132e54b04dbaf96386a7ac64b14761747b7ca87025f3f8590ef5a4d10e4cfac19488bbae096ce726996af38f2bd77

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
089d48de730cb06c5f58c776d95fd908

SHA1
53af969b8a84e4489ab4ce93e70a8800a04cc6af

SHA256
c852e06903b70f9318be858cfb6078c7108f3e8528b01fb3e9bd50f08d92266d

SHA512
94c5e5b82db558ba5f4d4757685f919dbda77b028e8963fad2938f04dce9529aff1f94f049e6f152a02ca7bc25210e54d3c86cc9496fa1c9c42bc1db54cf9e33

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
9b1462b0fbca206540f11c1a3129ee07

SHA1
b8228c7669355e847cb5df699035d08c7843f554

SHA256
382031b12a35524aee811c6fbbb83f1d98fd28ecca725d90938c7bc15daa0ad0

SHA512
c03f87320b62d620be1d8e4b80f38641044fd5482e7924524245315bf1423fb2703205d383f75524b9a0e13f6b0896c832c96a46c38a28664a3e6731c912a364

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
fa0c85daab2f03d8badc28282c55d308

SHA1
e6ac34ff63d54f29b841d295827c4ae0e35ab1ba

SHA256
e13532d3da1053324f222a54a9d70f9490b7ab7973ad3f760f2bd3d5acc6f97e

SHA512
70413723e795d673015bf8760c3c761e49746bb58e8de39f6c5b61c4592bd072ff7e34b47125e231387eb0ed52c7d93f328b98870ffb5b72e9a307d64a97ebb5

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
21f74cdce261625934282c1a6f5deb5e

SHA1
e38c93cf95f671a36dba3de79210bb1dafc6fdf1

SHA256
28707d0a8d79cfa86d5b297fc1dacf44bf5b586e215f2e0ca5b22129eb500201

SHA512
cc020186dfdc97f0b92c3b7b81dd37d1c9186a11fae7b66fd6659e701f92858c2dc54073a649247bc9b29159f0cb736125ea957afc2cd851ee716e09b6fb840c

Download Submit
memory/620-106-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/620-646-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/620-83-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/620-89-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/620-309-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/620-107-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/620-92-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/684-128-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/684-135-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/684-369-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/688-377-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/688-370-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/920-557-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/920-539-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1216-116-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1216-340-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1216-118-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1216-110-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1432-633-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1432-620-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1556-508-0x0000000001B90000-0x0000000001C4A000-memory.dmp

Filesize
744KB

Download
memory/1556-520-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1604-400-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/1604-165-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/1648-343-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1648-326-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1656-428-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1724-573-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1724-589-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1748-341-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1748-371-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1904-258-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1904-175-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1952-255-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1952-282-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2032-505-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2032-494-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2044-432-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2184-152-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2184-148-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2192-712-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2192-700-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2236-58-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2236-20-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2236-21-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/2236-28-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/2240-606-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2240-621-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2248-465-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2248-450-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2268-636-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2268-630-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2344-66-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-67-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2344-294-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-74-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/2364-699-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-687-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2388-310-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2388-315-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2472-543-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2472-522-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2508-6-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/2508-8-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2508-122-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/2508-0-0x0000000001CE0000-0x0000000001D40000-memory.dmp

Filesize
384KB

Download
memory/2508-123-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2508-91-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2564-484-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2564-477-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2572-574-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2692-53-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2692-252-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2692-47-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2692-48-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2712-136-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2712-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2748-732-0x00000000018E0000-0x0000000001928000-memory.dmp

Filesize
288KB

Download
memory/2748-735-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2748-730-0x0000000001880000-0x000000000188E000-memory.dmp

Filesize
56KB

Download
memory/2748-733-0x0000000001AB0000-0x0000000001AC6000-memory.dmp

Filesize
88KB

Download
memory/2748-731-0x00000000018D0000-0x00000000018DC000-memory.dmp

Filesize
48KB

Download
memory/2748-728-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2808-296-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2808-301-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2820-590-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2820-608-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2856-724-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2856-715-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2856-716-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2856-714-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/2856-713-0x000000001A950000-0x000000001A95E000-memory.dmp

Filesize
56KB

Download
memory/2856-703-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2884-17-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2884-147-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2904-480-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2904-463-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2920-403-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2920-408-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2924-37-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2924-61-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2928-402-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2928-383-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2932-688-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2932-674-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2976-98-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2976-96-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2976-103-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2976-577-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2976-325-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3000-440-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3000-453-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download