9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Size

1.7MB
MD5

27dd4457eec4735d6d71f15175eae9cc
SHA1

e1af79fed8f37bd2d8c15418769be24a5f28ef7b
SHA256

9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3
SHA512

9b974b65f1b35024ce9d12566be546c5d2835b8d0e392c9ab8974b1842a29b73d0343f5f1ebd1948b09516d0b1b6a3d49755e49154b1f48753a6859fac0a41b3
SSDEEP

49152:7KxNuLkTcKb4rSUfkVFj6aB0zj0yjoB2:efuLkT5NUQHB2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2624	alg.exe
2960	aspnet_state.exe
2336	mscorsvw.exe
2272	mscorsvw.exe
2140	mscorsvw.exe
1700	mscorsvw.exe
1072	ehRecvr.exe
2396	ehsched.exe
2992	elevation_service.exe
2508	IEEtwCollector.exe
976	GROOVE.EXE
1972	maintenanceservice.exe
2548	msdtc.exe
112	msiexec.exe
2176	mscorsvw.exe
2792	OSE.EXE
2868	perfhost.exe
1552	locator.exe
1336	mscorsvw.exe
1556	snmptrap.exe
1484	mscorsvw.exe
2372	vds.exe
1776	vssvc.exe
1036	wbengine.exe
960	WmiApSrv.exe
2916	wmpnetwk.exe
2900	SearchIndexer.exe
1948	mscorsvw.exe
1692	mscorsvw.exe
456	mscorsvw.exe
2544	mscorsvw.exe
1236	mscorsvw.exe
2056	mscorsvw.exe
3044	mscorsvw.exe
2516	mscorsvw.exe
2896	mscorsvw.exe
1116	mscorsvw.exe
1952	mscorsvw.exe
1236	mscorsvw.exe
1632	mscorsvw.exe
2632	mscorsvw.exe
1456	mscorsvw.exe
1548	mscorsvw.exe
2496	mscorsvw.exe
1380	mscorsvw.exe
2852	mscorsvw.exe
2320	mscorsvw.exe
3048	mscorsvw.exe
964	mscorsvw.exe
2324	mscorsvw.exe
2128	mscorsvw.exe
1456	mscorsvw.exe
1336	mscorsvw.exe
1792	mscorsvw.exe
2568	mscorsvw.exe
1460	mscorsvw.exe
1912	mscorsvw.exe
2508	mscorsvw.exe
1616	mscorsvw.exe
1924	mscorsvw.exe
1784	mscorsvw.exe
2220	mscorsvw.exe
744	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
112	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
748	Process not Found
1792	mscorsvw.exe
1792	mscorsvw.exe
1460	mscorsvw.exe
1460	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe
1924	mscorsvw.exe
1924	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
1144	mscorsvw.exe
1144	mscorsvw.exe
940	mscorsvw.exe
940	mscorsvw.exe
2144	mscorsvw.exe
2144	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
1236	mscorsvw.exe
1236	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
2304	mscorsvw.exe
2304	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
2632	mscorsvw.exe
2632	mscorsvw.exe
2056	mscorsvw.exe
2056	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1916	mscorsvw.exe
1916	mscorsvw.exe
2324	mscorsvw.exe
2324	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\System32\vds.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\701e434c5f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDDD1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5BB.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002096176b321cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c09d5468321cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004049166c321cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5051E288-CD93-4D77-AE11-DA7305CAC61B}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
668	jp2launcher.exe
2256	ehRec.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: 33	2948	EhTray.exe
Token: SeIncBasePriorityPrivilege	2948	EhTray.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeDebugPrivilege	2256	ehRec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeSecurityPrivilege	112	msiexec.exe
Token: 33	2948	EhTray.exe
Token: SeIncBasePriorityPrivilege	2948	EhTray.exe
Token: SeBackupPrivilege	1776	vssvc.exe
Token: SeRestorePrivilege	1776	vssvc.exe
Token: SeAuditPrivilege	1776	vssvc.exe
Token: SeBackupPrivilege	1036	wbengine.exe
Token: SeRestorePrivilege	1036	wbengine.exe
Token: SeSecurityPrivilege	1036	wbengine.exe
Token: 33	2916	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2916	wmpnetwk.exe
Token: SeManageVolumePrivilege	2900	SearchIndexer.exe
Token: 33	2900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2900	SearchIndexer.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeDebugPrivilege	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Token: SeDebugPrivilege	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Token: SeDebugPrivilege	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Token: SeDebugPrivilege	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Token: SeDebugPrivilege	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	1700	mscorsvw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2948	EhTray.exe
2948	EhTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2948	EhTray.exe
2948	EhTray.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
668	jp2launcher.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
1612	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
1612	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2912	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe	30
PID 2116 wrote to memory of 2912	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe	30
PID 2116 wrote to memory of 2912	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe	30
PID 2116 wrote to memory of 2912	2116	9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe	30
PID 2912 wrote to memory of 668	2912	javaws.exe	32
PID 2912 wrote to memory of 668	2912	javaws.exe	32
PID 2912 wrote to memory of 668	2912	javaws.exe	32
PID 2140 wrote to memory of 2176	2140	mscorsvw.exe	49
PID 2140 wrote to memory of 2176	2140	mscorsvw.exe	49
PID 2140 wrote to memory of 2176	2140	mscorsvw.exe	49
PID 2140 wrote to memory of 2176	2140	mscorsvw.exe	49
PID 2140 wrote to memory of 1336	2140	mscorsvw.exe	53
PID 2140 wrote to memory of 1336	2140	mscorsvw.exe	53
PID 2140 wrote to memory of 1336	2140	mscorsvw.exe	53
PID 2140 wrote to memory of 1336	2140	mscorsvw.exe	53
PID 2140 wrote to memory of 1484	2140	mscorsvw.exe	55
PID 2140 wrote to memory of 1484	2140	mscorsvw.exe	55
PID 2140 wrote to memory of 1484	2140	mscorsvw.exe	55
PID 2140 wrote to memory of 1484	2140	mscorsvw.exe	55
PID 2140 wrote to memory of 1948	2140	mscorsvw.exe	62
PID 2140 wrote to memory of 1948	2140	mscorsvw.exe	62
PID 2140 wrote to memory of 1948	2140	mscorsvw.exe	62
PID 2140 wrote to memory of 1948	2140	mscorsvw.exe	62
PID 2140 wrote to memory of 1692	2140	mscorsvw.exe	63
PID 2140 wrote to memory of 1692	2140	mscorsvw.exe	63
PID 2140 wrote to memory of 1692	2140	mscorsvw.exe	63
PID 2140 wrote to memory of 1692	2140	mscorsvw.exe	63
PID 2900 wrote to memory of 1612	2900	SearchIndexer.exe	64
PID 2900 wrote to memory of 1612	2900	SearchIndexer.exe	64
PID 2900 wrote to memory of 1612	2900	SearchIndexer.exe	64
PID 2900 wrote to memory of 2476	2900	SearchIndexer.exe	65
PID 2900 wrote to memory of 2476	2900	SearchIndexer.exe	65
PID 2900 wrote to memory of 2476	2900	SearchIndexer.exe	65
PID 2140 wrote to memory of 456	2140	mscorsvw.exe	66
PID 2140 wrote to memory of 456	2140	mscorsvw.exe	66
PID 2140 wrote to memory of 456	2140	mscorsvw.exe	66
PID 2140 wrote to memory of 456	2140	mscorsvw.exe	66
PID 2140 wrote to memory of 2544	2140	mscorsvw.exe	67
PID 2140 wrote to memory of 2544	2140	mscorsvw.exe	67
PID 2140 wrote to memory of 2544	2140	mscorsvw.exe	67
PID 2140 wrote to memory of 2544	2140	mscorsvw.exe	67
PID 2140 wrote to memory of 1236	2140	mscorsvw.exe	76
PID 2140 wrote to memory of 1236	2140	mscorsvw.exe	76
PID 2140 wrote to memory of 1236	2140	mscorsvw.exe	76
PID 2140 wrote to memory of 1236	2140	mscorsvw.exe	76
PID 2140 wrote to memory of 2056	2140	mscorsvw.exe	69
PID 2140 wrote to memory of 2056	2140	mscorsvw.exe	69
PID 2140 wrote to memory of 2056	2140	mscorsvw.exe	69
PID 2140 wrote to memory of 2056	2140	mscorsvw.exe	69
PID 2140 wrote to memory of 3044	2140	mscorsvw.exe	70
PID 2140 wrote to memory of 3044	2140	mscorsvw.exe	70
PID 2140 wrote to memory of 3044	2140	mscorsvw.exe	70
PID 2140 wrote to memory of 3044	2140	mscorsvw.exe	70
PID 2900 wrote to memory of 888	2900	SearchIndexer.exe	71
PID 2900 wrote to memory of 888	2900	SearchIndexer.exe	71
PID 2900 wrote to memory of 888	2900	SearchIndexer.exe	71
PID 2140 wrote to memory of 2516	2140	mscorsvw.exe	72
PID 2140 wrote to memory of 2516	2140	mscorsvw.exe	72
PID 2140 wrote to memory of 2516	2140	mscorsvw.exe	72
PID 2140 wrote to memory of 2516	2140	mscorsvw.exe	72
PID 2140 wrote to memory of 2896	2140	mscorsvw.exe	73
PID 2140 wrote to memory of 2896	2140	mscorsvw.exe	73
PID 2140 wrote to memory of 2896	2140	mscorsvw.exe	73
PID 2140 wrote to memory of 2896	2140	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
"C:\Users\Admin\AppData\Local\Temp\9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files\Java\jre7\bin\javaws.exe
  "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Program Files\Java\jre7\bin\jp2launcher.exe
    "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2336

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 1f4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 1f4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d8 -NGENProcess 1f4 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 290 -NGENProcess 1f4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 28c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a8 -NGENProcess 288 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 294 -NGENProcess 2b0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 1fc -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 1dc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1fc -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1ec -NGENProcess 240 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1fc -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1d4 -NGENProcess 228 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 228 -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 2b4 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 1ec -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1ec -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 294 -NGENProcess 1d4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 284 -NGENProcess 2b4 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b4 -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 1d4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d4 -NGENProcess 244 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2b8 -NGENProcess 284 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 284 -NGENProcess 294 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2c0 -NGENProcess 244 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 244 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2c8 -NGENProcess 294 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 294 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 324 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 338 -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 314 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 314 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 320 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 320 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 318 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 320 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:964

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:960

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
1bf4f098fc71bb9da65d016c638fbf4f

SHA1
bb11f67de1b7479ba598008f5afc4191b674da5e

SHA256
55487abacbab0e88e2214e8387a4468089ffa4d1788c90ea2dca5df16f5b02a4

SHA512
083af036667508af06ff9aca9639521a0de0c7f812f834cc37b31fa520fbf3c6a9ebea0826504d686d8c4441ced2d361c5a34719730838a6f672e83daef9ce0d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a134533ba3aff422d0d4085c3051e6f7

SHA1
4e25ba88c6381ef616b2311bdd302c0d2c8c936c

SHA256
151d10c99dba972d961cc4e373e81a0d592a763df79d485a04fd6aa612c8bfef

SHA512
52ffae90391f392598083e43dbf3b28164099698989992fc669f50ce75d991ecb74ceb71a4639e295ac25ee56af9e94ab6ee9f40e442e0b03424e90c80cf8431

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2ffec26497065822fb2e3d96ff5053cc

SHA1
aaa4dbbe3511188256edba9329a07cdc80ddb94c

SHA256
024c9b5ea2dc5c9e8634dd2735679bcb3e6c594f850df19329ad6ad7b517ce4e

SHA512
8bd0adae6f04aff5206b40f13a9b2f52ef60f6b79e9c307cd139c8d64cc569fb2431534de3a0d82fb21a350f80d00b7d34bec2d51e602a8249667e0bca170aad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
523826876c0d92dd4a9d0b8d9cc5ed7c

SHA1
1b5b6f8f3b63faaf3300a20386d03044c41d9cdf

SHA256
73cb9b72832ccbbe071f3e3140e6955da4304f15e2e3cca82f0dab30af1a970d

SHA512
2005d3d2446a5a650d2ba7249974d47e8d6e32dc4953ed8efce412211b7bc366a7e10b35578b8f9c2d6f40a05cc374d2de7443270a7dba9fb0436af145ea6923

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
701fdfd594752e3744aea3a44f2fa0c5

SHA1
793dc590deeb19a90d6d89ddd094db14f8ccbcd2

SHA256
e73403ebb5adad3e1b566cc6c5a6baa8a2292a7c6802a779f7ca59ab4bb2d0c3

SHA512
ea9766ba2eb81a836101b036350f9c1aa5e260c0da62ecd20f48d478181a232e759e348c48fd48c8b975dd0d12c41cafaad425406e0bdc8b0559c92fee45f055

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-72e4580c

Filesize
12KB

MD5
bde987640121265de7999403d95f247c

SHA1
545a717546e9005276997d4d5abe45b2291f87c4

SHA256
f9f4cded6b11ab6a76cdf90fc5ebdfecdc76fdbcdce6a77b4cfb8bfd03bb3eae

SHA512
60562db099fc331679d6ae5679133a41a08199900a9f2458fdcdd15fa5d079f155f6986082961dcb0387269494568db03f77dcd03c329c1c2d5d97348ab7ca83

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
685B

MD5
b36d3dd663ca344a07f7eaed2817001c

SHA1
c707db0ab8fd08c91d8f4155a13cd4e9a92d6c8b

SHA256
6c1cadc6cf00c82be525c530137c9ce4ad3917c6951afade35ca709105a39418

SHA512
57264ffd7dc65021cc24e88e32ab0fd8b3c7fbf089298f00ec1d5b723683bd4cb7aa49b2b592067ffa268b3a17952484f9c9bf48a8a64332bce3154bc5c55ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache6956561384359815844.tmp

Filesize
12KB

MD5
00e5f72258e6c602e6841bbf4c30b136

SHA1
52dbdf9eada5d7b0e015fd3523cca5cb915c23c2

SHA256
905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807

SHA512
50f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
4b32df6fcd106cb82b1c15a9552e4c1a

SHA1
4decbcd95363774326175f76ba08197405c9a101

SHA256
1c3da6f84d449d503a9909b1684a03a4c9a31febfc1cec6c895d3e80c06878cd

SHA512
d3d0723efcc2ccce47d8a259031d431b905f17384aa742134c2eafbb1ffc483308f7d848e7e2a4fcbe2637e3835f521aba57b86e707cd4193604a9d78a5c387a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
937608b70cc72981430e1fa942c50bd4

SHA1
3d07752b157e3ec757843b4c126532a5a541a7aa

SHA256
4f6289e95955d25da45bb66f5530afa49c3bf66863bda3af5f383909083037af

SHA512
57c0b8d205ba5e55cec0decc24c97ba1e56b87e4f109e66b0b645cd7d89effba7787ad0dcdc161d83cceb8a59819f0963f8d1b838b9696424903f73605e38d85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
58b474b0940ca5027ae60e2a8ee63086

SHA1
9b95606a46b3565b1524f80db7738db9972b5d9c

SHA256
cff789f703c534a7769f689a5e5f2aaf50d2720aa2796499d26cf82c6ea395a5

SHA512
0cf42f93975e391c97da51cd3ae114ea37a43be88ded3c71af868550fd2d84c5a1d2b703cb0344db91e2a7adc697d11149d19685e18b51353dc14f0a6fa3a47c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
b34b161419be491c3bc32d40dfca7059

SHA1
7e2baf78701f9f15274e032d5b4f26ff7d335e43

SHA256
c9a5637df67e0a104d793858ffd8617802b6ce5708e33a0402c90597caff8257

SHA512
9e9dea37e1d7c5db20ea760196ba87ae09aab812b44dec160ece0a6c2f5ac5b8a59ca4578c880f5a6d33d2791ba9ea6cfc23e70b6b2a7950b02dd49d716674c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bf4d5143c92358d0e25ff9840e45b5a2

SHA1
8d616840280aebde537778a81d6cf30948f121e0

SHA256
a94ca520c460f935f47483482634c0dff841be16818fd3688a977f8f40af391b

SHA512
c07d700e3af51c2cec6be715b96db0ce9c5adec33512088070f72b0d6206e14463a79204a7f0c35b3adeb9062f854bd2ce9f399d3038ab667f9dba3764e2ad35

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
93b00e6255d4b9b4ae077271a6fc680b

SHA1
da3930531d78a62423f0fce6419357f4465882b1

SHA256
ec0e090e3d10ddd5beeb0486f43352c3f2e7319ee3a1923b1e3ca2841723adaf

SHA512
068267bad0be6f1c407969f99a572c55b2e07fa19248fa25e89196a9e2671668f8e813c0904f5f712a08ef9e28f05a6cd5406d45f1897445ca333b79e13bd621

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
85c7d9b30771272d747b66440767198d

SHA1
a77e77dd2a6f9750460e35bf79155f01f465613b

SHA256
8c053ab5cb84f1fd97b2a8e0ba1306cc4632d56b3f76f2f2f587dd5987bb4b64

SHA512
c0153ff2ef2c5783f7fb0b89b64c0c93b4733adad2a98902c884ed15cc8551d90a5d80c6ede56f2f3f59d65bd862af759cdee188882e40bb95a34761a16aa938

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3d1805a243ae3b6fc9dfbc2c6a96c3db

SHA1
88b4d84051c1f84e5ce6eeb37a3820fc186e5654

SHA256
8e6535972e5ed5277a6e6033a0d6d93c74bd53425989c0a2a70fa6da4ff1899c

SHA512
0198c80615fd3e9eef81f11a3ce3063328816d8e4dafcde8a5aee9bf749caefc19b14936080cb01b3861b4e39db44a2713f15995ab75209b227a553286cc6fcf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
178a8ad46c5330c2256d56443142d58a

SHA1
b4e93c0c0119b82e2ef39d37853edf1ffcb7b82e

SHA256
683f366dc234c420a069a79dc824a5c4293db49efe0988a5030622e5303b5401

SHA512
81dcc024e125a4740d239a99dd6721ba30be99700ee1b51e5aa6842a0864e7de5e7569b262c03b9a8c69dc7ff86db0fb3b5be667f28679ea3d9dce39014af12f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
4c8f2b275208b41deb470d0069c61d55

SHA1
6e6335138c2141115f3d1c1cf78dd7b771e2fa5f

SHA256
96e2119663dcaf259db1040253ef960fcc07c7f2fa386611da0eae0e06cd251e

SHA512
6d9d696c1337d366694a02e9a48f62579fc95854fd79a927776eb90fd56b9a46ac17fc706cd8569773f7be15707ee88bd60c9afda63f2b0bdd3ad45da5235db8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
3dbe34f47610e39b80a87739fc6bf2c1

SHA1
f0dde025a47f9f14ff3d2e98d04f130723a1b7cf

SHA256
9f852fb732a3cf5674ef9233da9b8729406e307ebd750a575e015e5ec6719a35

SHA512
78b5d5543a2377bba13ee8ddeb7046a17386a866d878bb5db7bdd6784c644c9a6ed72d99d68a4ac0c02052362e9e71626367f830b5eade685681797f348b319d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3fc3fea7db9c065bad1db063745ac307

SHA1
99ae09f750081295b72ff30b47ff11c61971d360

SHA256
bd86f1c923d8de0e8276170dae934a6b3506f35a2699181a50389b42949001e1

SHA512
6a7b25d8a13fcdd34149a200728c804b84ef26af4c8a94ef61025073623d790e5eb557e5dcd98c968780bde0ef009761bb16fac983d7f9a87bab53db8894bb66

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
3b421bbc4cd9106de2b2d9c033a16b54

SHA1
5edda95441dffba93bbcc58174c6531e09624c7b

SHA256
d05ab548f6c0b3fc32a2fea2f8a5fc0f420de90e9ca11959244abe7fe9469019

SHA512
66289c7fb14d9f9226760f5430a5112284f62045d568eab419f72d75160e3bfff873e6ebba8c6ce0acd481b95ef6930ef6e52f11b80d7bfde33f2d239434bcc1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c11a4080c721a935caa4053c2fa9cdb8

SHA1
cb71c0dd870208f463c33f4f5e51fbe612196964

SHA256
c76328ffc752fd91cfe38b1f6033a52d1fb4fd16be1581a6c1c889b5e4cc96c0

SHA512
8a4ab8a4ac4d8efae521e1b1e7dd3a9c9f468980ec4a4d97d104edce1dac42882b389e12bb27231d9b5279b65d170fc7d6ea622ed1f7b8918246916d4a7f6a76

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
76493aeadfbfb8a342ab58e48d08aa5c

SHA1
4dd35072f932e8d3907b327524a288a41f66135c

SHA256
605208f38859451a3e8c46af92c2fb1575a94a097b5183d4f7cedd79286e25f9

SHA512
9f30147b3998e80189d1e4eb29ded99fa4dbfb1e23817146581c2553713f04f1668a33a9047bafea87f2825f384974b61d7745329efb15cc1807fe51d8187324

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
acb23af10994943400141651742e6aa0

SHA1
28b4b30051e18e8c306242201579b08d55f80ad5

SHA256
2c8cf2059469900c063df1230acf9401f7b933c0e6aad4d551ca91d9febc9047

SHA512
518d84467fcf7be391ece1e73cc21b9f394671e7a6215eb4e849aeb1b185abc06be7b2ef8464d398554f842fe35c96a30a9291c38c010553b56a2380108984d9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4099ddf4991a876506267bdf44fb1613\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
b8c32c938a8dd190cfb3c96d274f7450

SHA1
e05fa6b71533e8d558a48908b3415a616d5ff011

SHA256
8b32dfb6eacc14eb685aeb0fe3bfb64e7a4f25c8626cfc3f943d83584d1025e2

SHA512
d61f0dfb96b4d884757739adf87c6a7f4bc9d0172f49a78e4a99e9b8db97682926070264b8bde680aa0522808191c2f1761828cbc0f8bc53284d40c28f4b1cf2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\470892f8a0a0f658cc0667296dec2d99\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
9a75efe6ba9eec11da7287360bf177fe

SHA1
6853e1a69295cb3c40ea3b1ee88bfa176ec98846

SHA256
599242240e9c3317af695d13c95c8b093fe154e14b892ed18cf1bb7387732ee9

SHA512
ec99b4c386203fd0422310a52af8519b25d73408052c5d2d47bce7110a089a9be1165334d13d8f80acf532c4fdd25e027fae1463ff0097102faad966da6673e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5be0914ec6bc775ef1c7f93f75a1861a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
35aefa05e77d58d31272bb94c0ef25f5

SHA1
bef4874a17cfe29939ca24f0adbdaadb80670632

SHA256
efbfd4c3ca295cd7fdfc67072136668b0c7de72d40162bc28e6ae919eee6c66e

SHA512
e88c5c7e7a37ab8db4ba704d172651de429de39abf8a07f166cf90fad939fdf6bfc94604111bfad534d5159f60e7d63b34a69cc7c55fbe7ad6680aa0a9063327

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8f3fafb134e812c1e276194493ec147f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
14a39bff3c6e92f3478883d751107b7e

SHA1
953f62f128012b6e08880cc07c195c5583beeb82

SHA256
887a9f9675035810f00f05923c8498075c19a63b4f8d1887365d11e2091a3125

SHA512
b343ad59ecdd19b130ea5fc8774b705bfe3ea79ceaacfdc9e8fe706040ad3e2ea7e9f44b23cae6b9c7e8d5edd55b7a3be95bbfe30f77e56d2bee0eb18f1fd9ff

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDDD1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
3bfc80680b72c3f3502cda06c57016c9

SHA1
26f5a4284fd920a3306954d73c6f6f54f37b7b60

SHA256
fb38a2895bca9b21b75e949be8846510623cdfaa4c603a256285587b63ef7a3a

SHA512
8ebb888e22533db6dd047ac2ea2e3a6ce8f27a9f5acc3825ff89e8abd2474b69e52d75c1ba1df40e799807acfd2c28d0a62951f45da735ae52e98f928e84ce07

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3f89bb1e799c77cbcd356d872c8caf80

SHA1
434ef68bc465107114f578e7e198a298430fe78f

SHA256
e7ef64da657fe3be77994e68c956bb1baf193d490a7b008a33ded177ae35c455

SHA512
6f8d85aced56c8f6f22ebe860dc3c8c220569ff2a9dcf4d49c2a63f9a4da6efb1d9d99b5f9f1eaceb5c11ab5bb47f5c7402e014b6b8d6399993170e12ce9e883

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ede40b8e2fcdc55011122e0d999c3e0a

SHA1
ff851818eac10a9b118ff70f94719024aa6f8f49

SHA256
6ac40e4f727058eb3bb2a43d4e757238d209139f00bb2a544b1c3ad958edffab

SHA512
6b228b234aee6aa8fafc2e65c3eee8b82e88019ef021d9959d59eceed378da399712a0f310d5e26dec00eec8c95b4f3e0ee3ee110a5ab343289d42dd9abe79f6

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
baf6c8f8c1a61a4ec9b5e5f179e0701f

SHA1
1dcf37600f8c7059d7f5eb987c31a9e96595bb84

SHA256
f32457f5caa38e5b5c7f5739033339a4fcf0080b7afcb109d641a6bc295464ea

SHA512
f078622d727747ab20c7dad39a2540ef1d26e63b7dfd01122e6de644488c3ea9773a94fed2e9d86995b3793cd10a94475f271b5bb84e1590cefba34d07d33f61

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2d7486cbde1d7d4c365fc6cab1f5f99c

SHA1
ea525d7904e66574e560fb66ce74db155e0e56bd

SHA256
a409752efd067718b72756f116d4ffaa9ca85ebb5cf810b65b79e5ba3ca2cc21

SHA512
b26d5100ce40951d2f589b68364b38d53368cb1ce548d858d8280be98b9c413026dc1285cf1019cce2a19205fa221c2ffa01e2a770efe48c3304f27a4e12df8e

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
904954c0a73707939cb7dc6aefb7af89

SHA1
dd2ed9dcc7ee1eea758896a886ea41057b817326

SHA256
75ea80cedd5d0ba0b81c28d72317b0d9228aad82332df9c10b94c0b21315ed58

SHA512
80c88f283ac1148e82ed2cc66ec536138930a7fc845bf8b5bc93e5f640fcaa4b9e0e83519b3d289486917fce3489b6497572cfa71246c081719cae2b355bed6b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9ada16e971557df0dcf54178e900d197

SHA1
01623e8e0c1eb12e127833d4c766c03341689bb5

SHA256
5541cba88e327b1cd3579b04e4c268352262fbf0e55b5bf98d128f0f85d37e4b

SHA512
748e89fa1373917da1a373ffcfdf2d94084df71a2c1853ac3f6f7effb61b63893cf2bc2853365137bb2813b9a3776bf0c27bc0118ccd3ddbccfc0f74af2f7a8a

Download Submit
memory/112-562-0x0000000100000000-0x0000000100159000-memory.dmp

Filesize
1.3MB

Download
memory/112-612-0x0000000000570000-0x00000000006C9000-memory.dmp

Filesize
1.3MB

Download
memory/112-416-0x0000000100000000-0x0000000100159000-memory.dmp

Filesize
1.3MB

Download
memory/112-420-0x0000000000570000-0x00000000006C9000-memory.dmp

Filesize
1.3MB

Download
memory/456-887-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/456-853-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/668-62-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/668-61-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/668-333-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/668-334-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/960-634-0x0000000100000000-0x000000010016B000-memory.dmp

Filesize
1.4MB

Download
memory/960-839-0x0000000100000000-0x000000010016B000-memory.dmp

Filesize
1.4MB

Download
memory/976-502-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/976-362-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1036-616-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1036-824-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1072-244-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/1072-271-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1072-407-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1072-243-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1072-250-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/1072-270-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1116-985-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1116-1008-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1236-1042-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1236-905-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1236-910-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1236-1019-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1236-1025-0x0000000003DF0000-0x0000000003EAA000-memory.dmp

Filesize
744KB

Download
memory/1336-531-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1336-514-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1456-1063-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1456-1079-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1484-727-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1484-528-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1548-1080-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1548-1091-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1552-503-0x0000000100000000-0x000000010013C000-memory.dmp

Filesize
1.2MB

Download
memory/1556-515-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/1556-728-0x0000000100000000-0x000000010013D000-memory.dmp

Filesize
1.2MB

Download
memory/1632-1047-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1632-1038-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1692-861-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1692-734-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1700-383-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1700-229-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1700-231-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1700-223-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1776-806-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1776-569-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1948-729-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1948-742-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1952-1006-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1952-1020-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1972-378-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/1972-374-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/2056-931-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2116-101-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2116-1-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2116-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2116-9-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2140-109-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2140-380-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2140-114-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2140-108-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2176-418-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2176-501-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2272-85-0x0000000010000000-0x000000001014E000-memory.dmp

Filesize
1.3MB

Download
memory/2272-236-0x0000000010000000-0x000000001014E000-memory.dmp

Filesize
1.3MB

Download
memory/2336-68-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2336-95-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/2336-73-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2336-67-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/2372-535-0x0000000100000000-0x00000001001BB000-memory.dmp

Filesize
1.7MB

Download
memory/2372-761-0x0000000100000000-0x00000001001BB000-memory.dmp

Filesize
1.7MB

Download
memory/2396-992-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2396-266-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2396-269-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2396-419-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2396-260-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2508-1024-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2508-425-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2508-316-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2516-958-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2516-950-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2544-883-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2544-904-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2548-533-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2548-384-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2624-268-0x0000000100000000-0x000000010014B000-memory.dmp

Filesize
1.3MB

Download
memory/2624-26-0x0000000100000000-0x000000010014B000-memory.dmp

Filesize
1.3MB

Download
memory/2624-27-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2624-35-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2632-1068-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1056-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2792-638-0x000000002E000000-0x000000002E15C000-memory.dmp

Filesize
1.4MB

Download
memory/2792-433-0x000000002E000000-0x000000002E15C000-memory.dmp

Filesize
1.4MB

Download
memory/2868-448-0x0000000001000000-0x000000000113D000-memory.dmp

Filesize
1.2MB

Download
memory/2868-658-0x0000000001000000-0x000000000113D000-memory.dmp

Filesize
1.2MB

Download
memory/2896-983-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-881-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2900-661-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2916-648-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2916-851-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2960-300-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2960-60-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2992-423-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2992-283-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2992-277-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2992-286-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3044-927-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3044-954-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download