0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Size

1.7MB
MD5

2feb6443750377501c32d6459fadfffd
SHA1

abc41ac6b0f68fa90b218924defd2e18ce6ef2d9
SHA256

0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01
SHA512

8b7ea9df9486e4a3278114f93f4f2e15d8d41d6a6227b90f01251937f8a0f83a15de53e9096e730742d1acd479b91e0d067110a999d74628b22a4c6aac14dbeb
SSDEEP

49152:tKxNuLkTcKb4rSUfkVFjLCks7R9L58UqFJjskU:kfuLkT5NUQhC17DVqFJU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2656	alg.exe
2940	aspnet_state.exe
2432	mscorsvw.exe
2904	mscorsvw.exe
1956	mscorsvw.exe
2184	mscorsvw.exe
2252	ehRecvr.exe
2812	ehsched.exe
428	elevation_service.exe
876	IEEtwCollector.exe
1116	GROOVE.EXE
1952	maintenanceservice.exe
1932	msdtc.exe
2136	msiexec.exe
2648	OSE.EXE
1540	perfhost.exe
2108	locator.exe
1464	snmptrap.exe
2904	mscorsvw.exe
3020	vds.exe
1048	vssvc.exe
1844	wbengine.exe
2800	WmiApSrv.exe
880	wmpnetwk.exe
2596	mscorsvw.exe
1292	mscorsvw.exe
2276	SearchIndexer.exe
568	mscorsvw.exe
904	mscorsvw.exe
2472	mscorsvw.exe
1544	mscorsvw.exe
1652	mscorsvw.exe
2944	mscorsvw.exe
768	mscorsvw.exe
1544	mscorsvw.exe
2480	mscorsvw.exe
2204	mscorsvw.exe
2128	mscorsvw.exe
2584	mscorsvw.exe
1304	mscorsvw.exe
1500	mscorsvw.exe
2256	mscorsvw.exe
1980	mscorsvw.exe
1372	mscorsvw.exe
2480	mscorsvw.exe
1652	mscorsvw.exe
316	mscorsvw.exe
1864	mscorsvw.exe
3000	mscorsvw.exe
1648	mscorsvw.exe
1272	mscorsvw.exe
2708	mscorsvw.exe
2932	mscorsvw.exe
2312	mscorsvw.exe
520	mscorsvw.exe
2884	mscorsvw.exe
1056	mscorsvw.exe
1948	mscorsvw.exe
2040	mscorsvw.exe
1028	mscorsvw.exe
2908	mscorsvw.exe
2428	mscorsvw.exe
1648	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2136	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
740	Process not Found
2312	mscorsvw.exe
2312	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
1028	mscorsvw.exe
1028	mscorsvw.exe
2428	mscorsvw.exe
2428	mscorsvw.exe
1272	mscorsvw.exe
1272	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
664	mscorsvw.exe
664	mscorsvw.exe
324	mscorsvw.exe
324	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
2416	mscorsvw.exe
2416	mscorsvw.exe
2284	mscorsvw.exe
2284	mscorsvw.exe
924	mscorsvw.exe
924	mscorsvw.exe
1104	mscorsvw.exe
1104	mscorsvw.exe
1584	mscorsvw.exe
1584	mscorsvw.exe
2264	mscorsvw.exe
2264	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9c339afc5f6c6349.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\locator.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\System32\alg.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18FD.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE9A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3505.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8F6.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16CB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE43.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2672	jp2launcher.exe
2348	ehRec.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: 33	1708	EhTray.exe
Token: SeIncBasePriorityPrivilege	1708	EhTray.exe
Token: SeDebugPrivilege	2348	ehRec.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: 33	1708	EhTray.exe
Token: SeIncBasePriorityPrivilege	1708	EhTray.exe
Token: SeBackupPrivilege	1048	vssvc.exe
Token: SeRestorePrivilege	1048	vssvc.exe
Token: SeAuditPrivilege	1048	vssvc.exe
Token: SeBackupPrivilege	1844	wbengine.exe
Token: SeRestorePrivilege	1844	wbengine.exe
Token: SeSecurityPrivilege	1844	wbengine.exe
Token: 33	880	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	880	wmpnetwk.exe
Token: SeManageVolumePrivilege	2276	SearchIndexer.exe
Token: 33	2276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2276	SearchIndexer.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeDebugPrivilege	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Token: SeDebugPrivilege	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Token: SeDebugPrivilege	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Token: SeDebugPrivilege	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Token: SeDebugPrivilege	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeDebugPrivilege	2656	alg.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe
Token: SeShutdownPrivilege	1956	mscorsvw.exe
Token: SeShutdownPrivilege	2184	mscorsvw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
1708	EhTray.exe
1708	EhTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
1708	EhTray.exe
1708	EhTray.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
2672	jp2launcher.exe
3012	SearchProtocolHost.exe
3012	SearchProtocolHost.exe
3012	SearchProtocolHost.exe
3012	SearchProtocolHost.exe
3012	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe
2444	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2380	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe	30
PID 2092 wrote to memory of 2380	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe	30
PID 2092 wrote to memory of 2380	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe	30
PID 2092 wrote to memory of 2380	2092	0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe	30
PID 2380 wrote to memory of 2672	2380	javaws.exe	32
PID 2380 wrote to memory of 2672	2380	javaws.exe	32
PID 2380 wrote to memory of 2672	2380	javaws.exe	32
PID 1956 wrote to memory of 2904	1956	mscorsvw.exe	53
PID 1956 wrote to memory of 2904	1956	mscorsvw.exe	53
PID 1956 wrote to memory of 2904	1956	mscorsvw.exe	53
PID 1956 wrote to memory of 2904	1956	mscorsvw.exe	53
PID 1956 wrote to memory of 2596	1956	mscorsvw.exe	59
PID 1956 wrote to memory of 2596	1956	mscorsvw.exe	59
PID 1956 wrote to memory of 2596	1956	mscorsvw.exe	59
PID 1956 wrote to memory of 2596	1956	mscorsvw.exe	59
PID 1956 wrote to memory of 1292	1956	mscorsvw.exe	60
PID 1956 wrote to memory of 1292	1956	mscorsvw.exe	60
PID 1956 wrote to memory of 1292	1956	mscorsvw.exe	60
PID 1956 wrote to memory of 1292	1956	mscorsvw.exe	60
PID 2276 wrote to memory of 3012	2276	SearchIndexer.exe	62
PID 2276 wrote to memory of 3012	2276	SearchIndexer.exe	62
PID 2276 wrote to memory of 3012	2276	SearchIndexer.exe	62
PID 2276 wrote to memory of 264	2276	SearchIndexer.exe	63
PID 2276 wrote to memory of 264	2276	SearchIndexer.exe	63
PID 2276 wrote to memory of 264	2276	SearchIndexer.exe	63
PID 1956 wrote to memory of 568	1956	mscorsvw.exe	64
PID 1956 wrote to memory of 568	1956	mscorsvw.exe	64
PID 1956 wrote to memory of 568	1956	mscorsvw.exe	64
PID 1956 wrote to memory of 568	1956	mscorsvw.exe	64
PID 1956 wrote to memory of 904	1956	mscorsvw.exe	65
PID 1956 wrote to memory of 904	1956	mscorsvw.exe	65
PID 1956 wrote to memory of 904	1956	mscorsvw.exe	65
PID 1956 wrote to memory of 904	1956	mscorsvw.exe	65
PID 1956 wrote to memory of 2472	1956	mscorsvw.exe	66
PID 1956 wrote to memory of 2472	1956	mscorsvw.exe	66
PID 1956 wrote to memory of 2472	1956	mscorsvw.exe	66
PID 1956 wrote to memory of 2472	1956	mscorsvw.exe	66
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1652	1956	mscorsvw.exe	83
PID 1956 wrote to memory of 1652	1956	mscorsvw.exe	83
PID 1956 wrote to memory of 1652	1956	mscorsvw.exe	83
PID 1956 wrote to memory of 1652	1956	mscorsvw.exe	83
PID 1956 wrote to memory of 2944	1956	mscorsvw.exe	69
PID 1956 wrote to memory of 2944	1956	mscorsvw.exe	69
PID 1956 wrote to memory of 2944	1956	mscorsvw.exe	69
PID 1956 wrote to memory of 2944	1956	mscorsvw.exe	69
PID 1956 wrote to memory of 768	1956	mscorsvw.exe	70
PID 1956 wrote to memory of 768	1956	mscorsvw.exe	70
PID 1956 wrote to memory of 768	1956	mscorsvw.exe	70
PID 1956 wrote to memory of 768	1956	mscorsvw.exe	70
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 1544	1956	mscorsvw.exe	71
PID 1956 wrote to memory of 2480	1956	mscorsvw.exe	82
PID 1956 wrote to memory of 2480	1956	mscorsvw.exe	82
PID 1956 wrote to memory of 2480	1956	mscorsvw.exe	82
PID 1956 wrote to memory of 2480	1956	mscorsvw.exe	82
PID 2276 wrote to memory of 2444	2276	SearchIndexer.exe	73
PID 2276 wrote to memory of 2444	2276	SearchIndexer.exe	73
PID 2276 wrote to memory of 2444	2276	SearchIndexer.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe
"C:\Users\Admin\AppData\Local\Temp\0ffe2832e1f8a26b2fe8906d61cbf995f524f9d299779fb03dd70430c41ecd01.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Program Files\Java\jre7\bin\javaws.exe
  "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files\Java\jre7\bin\jp2launcher.exe
    "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2432

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d8 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 274 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 1dc -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d8 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 284 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 294 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 244 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 25c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 284 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 26c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 294 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 218 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f4 -NGENProcess 218 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 240 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 218 -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 220 -NGENProcess 24c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 24c -NGENProcess 240 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 298 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 298 -NGENProcess 220 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 25c -NGENProcess 240 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 1d4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 220 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 220 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2a8 -NGENProcess 1d4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 25c -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2ac -NGENProcess 1d8 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1d8 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2b8 -NGENProcess 2a8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c0 -NGENProcess 28c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 28c -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2d0 -NGENProcess 2ac -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ac -NGENProcess 2c0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 30c -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e0 -NGENProcess 314 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 31c -NGENProcess 304 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 304 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 304 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f0 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 304 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 314 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 304 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 314 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 304 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f0 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 304 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2f0 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 304 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2f0 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 314 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 304 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 304 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 384 -NGENProcess 314 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 314 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 368 -NGENProcess 398 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3a8 -NGENProcess 314 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 314 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 3b0 -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3a0 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 398 -NGENProcess 3c0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 3b4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2252

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:876

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  PID:264
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
7b7c0e48e3e0a7460a92f72c375044c4

SHA1
0aa05da26ce209fb721335368cec7e1c0ff8c0e8

SHA256
f9ba86a45086e662b969659d558beb256ea441f0045d50d09019af48f3c7bd50

SHA512
530319d915390b8c7dcb91dfe5a9f46043dfc5463c27a52eb78beeb168bb9661789b2583a257cde6e07ee2ccf5e86c74ed17f4212b1baf0fe17ff74bdf145aa7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a53afade43fa4d4387945d9143933643

SHA1
290f9a23ac937eb69b1187dce88c1d69aa51f3f5

SHA256
41464d0cad4d753113866b25cf4270389ee91289b90e5ed4a9fa1118ce3cba1a

SHA512
c17624a9ec1be34c46fd77a3125756f66ef9f5d05a1776469846fab342b36ef567203556f19109652903c371a87d1be3f83a95c44d449cc6ed7b1e31e83a26bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
622d4e833eace6623bf9e7a65186a6e8

SHA1
0d5c09d234dc46419eddcb598a6402ad11f3573a

SHA256
4bd0c45a2750d8c48a66591bf9f1d9b3af19ea7edb64d5eb5965adc2cbd87aed

SHA512
05e5ed208d3f422d2fbdbedb24209c9646295b7a2bff501e2c42077b37da2f12b93cf3e6fc0cdd5076f3024479a356b3cc3cbfb4348a0d588525e2797d4fa969

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
945306af9233ac3f89dc56041427fca0

SHA1
6a6f25edaebc5c766021097569f4fe91f46db37c

SHA256
40db84aafd23c737b4df8fb9cf17354a38a82d26f3f0a7af4357402009afdec6

SHA512
a95f1abdfaa23d3e0e70cd57beac383066e770b575f55ec4e3a6d664f5928bd87626715f0ceaf5156852fe25e07c872bcecdcf375189046ab359bcf9b310b00e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ba9a111dfd337499ffef39e6f73b3b0a

SHA1
219c1057c5962027a93ddacf95dd085507027424

SHA256
c72bb1e6bc1d68ee0e96fc96457dd101e4442ebf82f02722591564cc231f627b

SHA512
0692db148b8b8f8916c30a6dadf4182bba05250b008ef5b7b97f82186e429949da359698002eba44507bc1fe5cc9a2a8584139d307686ea0bbd21ee8d948e4bf

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
b9c661b529e3819aa481a95a618e204d

SHA1
800d9dbcc3b4682b99cb37787a3c1203541855bc

SHA256
ab0cd29ab62cd59ea28114ec29a14d8ec7914be5bd161ea1355a63eac3f74b6a

SHA512
4f0a4d2803a51eaef7899c7145312f0dbba9ca87709c1169b04bf06c1aea3ea8bb418d41a953b67a21b396bc81f7eaa16707f771fa796b44ca03e8cd7df07e99

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-5a375609

Filesize
12KB

MD5
e25932cd833303c6dd51299070436915

SHA1
421cbf197d06d54f50b6dd71915183b52b4cb030

SHA256
72ae5b35fbbc871b4abeef73fb265f9b20b43a881985e75745289a4a6b7f4bbc

SHA512
b4f16da4734fca4b7ccf3fcd3422c22d42ebeab8f4fb51d7e1f5e1011b1328d0e4ebc7b4630007e894de9fddbdb2438039e376520f0ddbd005fdcfef68a68eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
685B

MD5
dbddd3f6b96beac01fed8d608d30d57a

SHA1
03f8b63046c20fc0ff7b092a641751be8ea5dac4

SHA256
1c5794d550d71d8d982cbad81384706f5dee1bf80dd3c48a68d32f9ed0a19429

SHA512
73da27b7b96dfed708ccfc6f94664e8599129017e3c06ffd84795649b5c4cf7d819d6a70df35445950f3d9beb64842559cdee163974152e53ab460258cabfb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache2911931310284303828.tmp

Filesize
12KB

MD5
a66e19c05f3e0b24ac077a37c2b7589e

SHA1
8b9ad1517985c48c0bd11670fabd3648bac9d1ff

SHA256
9771364d53fa9b1bd14cef7e48be1f5df23b11aac9f5cb6763a4934b3190e126

SHA512
0876a0072ac19f03818a2e5d77cec638470a09e40cd3794d901f1625c3f701f7b37a5cc6e23057a53e62d6e936f5c90bdd4a2c811c64dcfaa20dca5fdf63565f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
26638eab0b7b3bcb7ec6b03bad9de91e

SHA1
a68c5a4146883e6c2627e7ee06663a81be853333

SHA256
72bf3deca4eb68f699e5d67421a17c6d01c9c2b095bd18d5d17a653945806c14

SHA512
c2a219b09e099798543581d0a8363b6234e0610e51fb980d4ca867f0dc1197991391ae846eecdcf3f3cdaa7d17c59705442a6b5ce2a1f3cb55f5ce86d0e423b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
74900dc2dd78d5782a0ff117e8579e7c

SHA1
19693e015564854997f9fba1e96200a23ec43dd9

SHA256
d76f6409a88967faeb563dd306ab9a1c79d54315d54dbd641e650d4ddab1bbb8

SHA512
ef07c28a2ec5ebb368c5ba2857da05ced94a5ed5c54edb29fb7e9ea6b80bf5f13b6a1b4fc5866f46f43e27a97106b77453d53b7dc515e8408683b7986cbf5017

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d58c7be4a6a7c2400caa9a1c9a356e93

SHA1
25591b5ba6b3a5199d2fe1a608f417c9a14d12f9

SHA256
7fbd47e8cb37635d199f5181b310789fc7d53345add17caf1497db9993f9a53a

SHA512
00a6351cf6fac07caff094cebbfcbee02d288a208101c5f0fe3f1d1d952b1fd3bfae2aa67a4255b624c109dbab4acda74b735ba20d1eebea65fc535f50bafd0e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
0a232ee0128cb937e0dddc86d44c2b10

SHA1
3d27a2f503a08279db4c9d58056fa44b86557b64

SHA256
399df70d78cfb513f74e288271a069f334a383f3a744f9dd5b2305ec16f07152

SHA512
1415f4872567fe9b9443499e8752904f4199a0b52ca753cb69b6da04c1e1cfb7c90bee0396b376014d8b4d72ed1ff4a2dedf8af66bf8f6c285a1157430810739

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
4a1a0a6542355f4f733fff6078b0775d

SHA1
26fc216dd2664cf8c2f79da6a3105d23c75df910

SHA256
ed156e70ae291f6f974c44738e1e8af863eb15ad0f2da0afe06903f63c035980

SHA512
1ffa07b079c2aeabb24179fad35f28fbf8579b9dbe26e29afe13747249ba4f60f63f4e3f4709cefe1e8a33ff861116cbf3d3ad8638b30b8e072db7c8893e50b6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
09036c29422487403c79057941fee8b2

SHA1
6319a7e0522e2bde6a89971d99d2844e091e5002

SHA256
6f84994b19c0cc0815ce0ed4f57745ce521b8a4a5cf6788b5ff9606eebc44fce

SHA512
9bdff3912b00a3ce5e6e49203ddbaa66ab8c3b6000e923ca32cb1adc697b11eff52e24d576f55478346629f5943cc0754ef8ced8d98eead03715e13937887a71

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
caad399874f0258f317a838403b0692e

SHA1
e59c57c8f8975fd5b4a04433a6f63e38de963fde

SHA256
436291d195fd459c05b6b3ef8a7458e0cf5e328b3ee38c055ecc5d514e5c94e0

SHA512
f735a8826439725ae42143b96190cd9325cbae2829d79bfcf7c56d4ccd8a6d5e8244a4bdd57bf79f62d2c13ff5adcde4e3219ffe777dc512fb786ddf4bb3bbdc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
76d2f6925d7f4501ed9b73d0c5e535a6

SHA1
8e378a808b268b1d0a50a52bc4bc62283487c106

SHA256
e9cd42252d30adefddb9368508213925bb00673cfcdef185bad54eff08617731

SHA512
261cb9b5b153a215bfa6ec7edb029b34b3d364caf025855b20843b73d39b53c003afd724fb19cdf03e991d091c21c3b15d4fb4daea0b1d94eb0654d326b03798

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
6f36eb9b629af3f83966b8ae0c952b88

SHA1
24c3c61e628175a418c6631f74dd9a8a201fd61a

SHA256
a97e36264bb890960be866d82f79cea57581bf5e0c2efbc33f5959b2d4c948b6

SHA512
37b45c9f1288d7d108ae97042ba2fbd309520e8bbf6e63a8ef67d8035d6a146989acb6b84d648c9d7e77e46e72daa62fba0d670e88ab1f8c575940bd3f89524a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a963fcb7906b2865d976009cb40b8622

SHA1
5991de8108f48887eed076060ad2973dacefe2ef

SHA256
98cc3a782e897ea8a5944e03913f8b4542f75d2abc122197552432c0b53e3588

SHA512
8a2f72d1e89b425b028b43d7077d1009dc68e2dd182407954c57042770fb4d110958b697fe4350a0b58ba4b0c29cf1d2474408164ceffeb157d8abc8d37447b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
e2b50fadc44b687abda6326567ebd29a

SHA1
759cf321907ae966a921fdd4d572a8d199094658

SHA256
97c97b17ac4e6ab6249e943f16ee1e2f5bb54b62b874eb134585ab1a07309f2b

SHA512
cc74a1000bced61738b01d5f2e9b8fd3e97e89e2f25b134d8d1fcb1775ce7b2f65d4630c39126a97098a7a5cbe04ff545ef4a02a152cf6e1dccb69c2853e5b7e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
6bda01adeab30740092df8018fa83298

SHA1
e7c3c556abb76f95c565a77883863d219fc45f64

SHA256
73d42b88117ebe68632a1925601a8f2f8f383ac4c2d568e39dbca10f9abd94fa

SHA512
1a50f094b4ac8a5d1a3751b833236571f4af1f967228279388bac270d3c155670d11bdd36408773cb84d27cdf2eb844d0f52aa63ae7e95091ba20f6de44d339f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
6834e6b46eb733d84a26bb26908cc119

SHA1
fe34952c5507afa183096939383aedfbcc7f49a5

SHA256
c8395ad36868177afe8035f53020d3d3a4359353e5570cb476524e475796d9f6

SHA512
d278adf28fe988555c148ab867fd7fcfe40cce72cb311017b6b52a01d04b4585d8fa494da92d3136f3a3ad0d4e2d579a8d102468097d0ab24aa5d47c80f2852a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
20dd3f9d50aa887be740e3ae95744cfe

SHA1
26a9f79dcfbcc1ffb528534b7009d478cb977139

SHA256
08cb1106bd0012630790a8d862ee030579fd7ef307930a9353950512dd862e45

SHA512
0b3aa5e422b08c69a1a4995ae11354ed2c6fda0787b8b0200cd3194dd7d098b806c6f613b2c955064eb1a80b32bb668f805821013541b31d7a88632607979ee4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
18dde1fc13b8ecfd6f0636408503236b

SHA1
e5663f73b508c4bb08892af91522c7d9cbace4f2

SHA256
f1a1e98936b68e3f9f250124af55369ce6bfacb5820bfb6c559b708a98cde3f4

SHA512
e09aeebd905d2356faf23d570b0f36faf31c8d86d99831a6ca61f09dff118bae737d0b07549ba5617de0084172571d7216228a633c6e81d53502cd723b4b2ccc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fd82e48c427acf78254093e680d4de2a

SHA1
63812314692bbb0e113f57802d2c55efd8a5e95b

SHA256
77077ce18a08713cc384bc71dc68c9e1161bd5ed04982797005e6a8880db002c

SHA512
9ee42446af4c7ad65df9d510d6dbb7c7a42c233a4807a6ec3f36a5cd443341e98090f9a3722820ca244df9fcfc8907ffc2059ada49c2f2184b4c55ce2e19de09

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
b28c35fb2cc2f2473ad2c2d716daf03b

SHA1
35720943a61829865fddece56d841bd00e2b5cc9

SHA256
88368b0e920fca21d1ea205246f330056dc98085a69b7fb465bba7b72000b8d5

SHA512
32b623a7774753d5ae02247869090efd5c441b8219ed4073493a35dd66b9725cc0d8c910747e2fa3773c8a372b21912e1338f71c519634683962a73f12c86df7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\86ce496f78c75bcb363a217dccf67319\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
bde9efd9b4f15fe1c9b70d6110523640

SHA1
032282965ff5505562c6657d245a6e2998eed994

SHA256
bef0a6da9fcc7f1434040064f8ab536ad0581c222c15cdabd6d32e4646da592a

SHA512
2685d81d7a1f1e8be3c36ae0957aa75d49a8d2d24b10762b74b60ccd3540ee25e70251758c5d3786ae2e16e754d6ed01fc33c8baa73576e33dbedcce11d44ae6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a06de7e602db2cb6faef38c180fd6d64\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
e5f8eada727db4e443fa81b936a56a18

SHA1
05a20df94c55f9010af2cf4e0b29420147fd7c6b

SHA256
a3fa034acffc5fcb9dc2e598a834dfb01cf52fd30adebdc55d241bd17e16c6fb

SHA512
1fbeedbe344e97c8ef4877c9a3894a6ddcc878b8d5dc8a07520b7f05f65b809e11269850c4f254a3c0d3b901380e691dcc308c89d17534e162d7d0d605d9a000

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a2dd331d6c7765068a01fc9faeb88754\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
0b6cfbbfade678b3d299652f8c236727

SHA1
f2ed191a428ba95b5b3eeb1cd819583d61bd46a6

SHA256
636844e7653d7658c5c0e7c54503098e1f917a49d8c29b9a4070fadcfeaf1499

SHA512
799acc9687e57273d20ba88c5e262ed0e79030bc5e7b1a90e6f01a65586bf3e497cfff3db693845f27bcb6575b9a4d2abed058e5b5ee01cf662a2aa6f84812d5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c76f2aa7fced94504c3cd20b1dce7295\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
5ec9452d0f2403f6ab2cd53e60c723da

SHA1
bb97ca44d7be7880fe6fc1fd39593b3561a74be5

SHA256
2b3d3526a452eadd3ae2f573a75d11401562ceba951a6afdc4e2226932026992

SHA512
80e4a3b1311bacfd74305d0cd45367745ca4d3fbcad7b4af16bbb92edd5bc4da689c0c8578a057371e8bd26b347dd7146588a39b94d213521b354ed921d0d581

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
515a6babfd5d091249a3ce9c985f94b6

SHA1
85dff8c308ef77ee09da26688d234b6e40f1b6c0

SHA256
21862ba50fea7eee86b29c0f8104a613fd5b52588f5cd955f59b0e967be1ba16

SHA512
310aa60506a1a55bee21e8ef8b360558618fb122585290f280bf426a623b6a679a596fc4c14e551c3eb47e6202919d2771123c8949d700f917dc2650963ecc96

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
37b5dd960974a34db93e892ffa86ade3

SHA1
e195ce4b160a77dd0cdaec316161439b551a9492

SHA256
f2abceb0b809cbf424f2b204e78bb863e6f611f399f661be8294b8d3aa8b8776

SHA512
cddaf4a22292f157f7736a9c71a35a635821e3d05c978659a85cb77e4a162980925812eaf75664a7541f22bdb318ed83397800c0f6487c2f5ec6547df2bc39fc

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
907839008939c8fd4b194ffc2b8c9491

SHA1
0c64be818c3bd22be73332285abfdc5e98e0ca04

SHA256
20e04ab7fdb1c684f1fb1f164ca50b90339504fd4933b94aa2cf1094e3364e44

SHA512
e63005d4a2ff16ecf9fe1f9f54c907b9a1fdc5dcccb650238b7894ea89bc5721a4172e133a3d9d86b96adae0beabade4690863cadbffb87a2284bcf309d93e80

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e7e74be992c19cbd566795bae952d414

SHA1
e93fcf08c72b1b1a6b919fb0ddf709de39e56fba

SHA256
b2b04f09e3a909acdc0123c7b325419b93ad3e32c0ea8b5473a241896a79061f

SHA512
fcaed63c6e8cf9cb0540b70cf5d061d0f5d29a9cdf04c7f61a272a5e77d0a65ac7681e57f03ea87a4e7af42a938020e249e7faa75850bc305d24b30a94f65211

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9da0aaa980d169e3b5c66fb7819f4dca

SHA1
6a453907b7031159c0c02e6a9626211b2670deda

SHA256
15461e1a9b53d2d7354fb34a8e5e4e2af74262b05e9f55613e50a5fb81f9a6c7

SHA512
343e843d217fa709da9447663357e1d1908e101ec2ee679f0680d418b0d321aa5df155704adfadd274ca8108302cde4d43324e09529f42fe96b6f40032904557

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
46fd5ef1b15b128f1335d9b0c8267ddd

SHA1
c05d2eceba955ea0df4b4ab130ebed9fe82f5964

SHA256
cf9ccc0dc2fc10271565201c022946f5da9f6af6eaf54dbe5139c7df7e37c7ae

SHA512
79a9d5f55ab2ad3a818a9cb9678a0b2126958f047ae1f7b5e53253eaa4f1d91f720a91f9151b31bef63b0bc4f9460315a28a36566f5cefa043075d1ea049e40a

Download Submit
memory/428-306-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/428-448-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/428-308-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/428-300-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/568-781-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/568-760-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/768-901-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/768-877-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/876-329-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/876-487-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/880-851-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/880-620-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/904-777-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/904-804-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1048-515-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1048-801-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1116-369-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1116-509-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1292-645-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1292-765-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1304-996-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1304-969-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1464-671-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/1464-488-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/1500-993-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1500-1010-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1540-644-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1540-432-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1544-896-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1544-920-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1544-845-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1544-827-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1652-841-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1652-864-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1844-546-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1844-821-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1932-544-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1932-376-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1952-372-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1952-387-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1956-211-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1956-174-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1956-375-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1956-204-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1980-1047-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1980-1028-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2092-9-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2092-1-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2092-226-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2092-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2108-650-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2108-449-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2128-951-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2128-981-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2136-569-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2136-392-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2136-621-0x0000000000560000-0x00000000006F3000-memory.dmp

Filesize
1.6MB

Download
memory/2136-404-0x0000000000560000-0x00000000006F3000-memory.dmp

Filesize
1.6MB

Download
memory/2184-236-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-228-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2184-403-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-234-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2204-954-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2204-932-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2252-246-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2252-296-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2252-297-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2252-258-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2252-252-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2252-407-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2256-1030-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2256-1006-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2276-913-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2276-651-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2432-105-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2432-70-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2432-75-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2432-69-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2472-802-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2472-825-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2480-916-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2480-937-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2584-977-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2584-964-0x0000000003D70000-0x0000000003E2A000-memory.dmp

Filesize
744KB

Download
memory/2584-963-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2596-635-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2596-648-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2648-420-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2656-27-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2656-245-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2656-35-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2656-26-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2672-321-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2672-62-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2672-608-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2672-63-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2800-576-0x0000000100000000-0x00000001001A5000-memory.dmp

Filesize
1.6MB

Download
memory/2800-840-0x0000000100000000-0x00000001001A5000-memory.dmp

Filesize
1.6MB

Download
memory/2812-289-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2812-287-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2812-423-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2812-280-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2904-634-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2904-85-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2904-237-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2904-510-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2940-60-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2940-299-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2944-884-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2944-852-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3020-775-0x0000000100000000-0x00000001001F5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-511-0x0000000100000000-0x00000001001F5000-memory.dmp

Filesize
2.0MB

Download