expiro | d9be5a0bb7c45888353a70b44b7667519a41c73c15ae2cab1a21fe32ab90f13e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
Size

956KB
MD5

7fe31af4adb4df5f9068b74e66b56ccc
SHA1

c18d5823f4808a892653eb231e6927e0df8e6e4d
SHA256

a41f5ab28e2e2112625fb13286ff060b3be5a42d1f164c56b7ef43bdaff9ddaf
SHA512

a08469694816dd71e19a48fea95954a700a5a09931c713afa2be181ce581600f962b2bfd0552aa016dfddd892004ae178798948cba1aadb3e979e48dd9a2b3ca
SSDEEP

24576:ufWUtLpwbtLpwCyQyJQG0oJwvRDY95pWAFD1WO:CbtL2tLG/eM5pj

Score

10^/10

expiro backdoor credential_access discovery evasion stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 57 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2732-35-0x0000000010000000-0x00000000101D8000-memory.dmp	family_expiro1
behavioral1/memory/2584-97-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/396-165-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/848-180-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/396-181-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/848-184-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/796-191-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2772-192-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/796-197-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2672-198-0x0000000100000000-0x00000001002E9000-memory.dmp	family_expiro1
behavioral1/memory/2376-200-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2304-202-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1636-203-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1636-205-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/3020-207-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2904-209-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/3016-211-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2748-212-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2748-214-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2312-215-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1760-218-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2804-219-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/272-222-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1760-221-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/272-225-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/532-227-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/544-229-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2364-232-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2544-231-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2364-234-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1144-236-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1216-238-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/292-239-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2980-240-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2428-272-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2752-273-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2844-274-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2832-276-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2024-286-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/464-287-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/464-289-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/764-288-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/764-302-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2072-304-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1448-314-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/928-315-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1924-316-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/284-327-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/928-326-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/284-328-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1364-339-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1108-338-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1108-340-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2100-350-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2672-351-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/1552-352-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1
behavioral1/memory/2672-362-0x0000000000400000-0x00000000005E1000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2732	mscorsvw.exe
472	Process not Found
2896	mscorsvw.exe
2584	mscorsvw.exe
2308	mscorsvw.exe
1760	elevation_service.exe
1632	infocard.exe
396	mscorsvw.exe
2984	IEEtwCollector.exe
848	mscorsvw.exe
2772	mscorsvw.exe
796	mscorsvw.exe
2376	mscorsvw.exe
2304	mscorsvw.exe
1636	mscorsvw.exe
3020	mscorsvw.exe
2904	mscorsvw.exe
3016	mscorsvw.exe
2748	mscorsvw.exe
2312	mscorsvw.exe
2804	mscorsvw.exe
1760	mscorsvw.exe
272	mscorsvw.exe
532	mscorsvw.exe
544	mscorsvw.exe
2544	mscorsvw.exe
2364	mscorsvw.exe
1144	mscorsvw.exe
1216	mscorsvw.exe
292	mscorsvw.exe
2980	mscorsvw.exe
1776	mscorsvw.exe
1108	mscorsvw.exe
2428	mscorsvw.exe
2752	mscorsvw.exe
2844	mscorsvw.exe
2832	mscorsvw.exe
2024	mscorsvw.exe
464	mscorsvw.exe
764	mscorsvw.exe
2072	mscorsvw.exe
1448	mscorsvw.exe
1924	mscorsvw.exe
928	mscorsvw.exe
284	mscorsvw.exe
1364	mscorsvw.exe
1108	mscorsvw.exe
2100	mscorsvw.exe
1552	mscorsvw.exe
2672	mscorsvw.exe
796	mscorsvw.exe
1492	mscorsvw.exe
2884	mscorsvw.exe
2696	mscorsvw.exe
2900	mscorsvw.exe
2896	mscorsvw.exe
2592	mscorsvw.exe
1484	mscorsvw.exe
1556	mscorsvw.exe
2820	mscorsvw.exe
2096	mscorsvw.exe
2104	mscorsvw.exe
1780	mscorsvw.exe
1968	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
472	Process not Found
2024	mscorsvw.exe
2024	mscorsvw.exe
764	mscorsvw.exe
764	mscorsvw.exe
1448	mscorsvw.exe
1448	mscorsvw.exe
928	mscorsvw.exe
928	mscorsvw.exe
1364	mscorsvw.exe
1364	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
2672	mscorsvw.exe
2672	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
2696	mscorsvw.exe
2696	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
2820	mscorsvw.exe
2820	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
1968	mscorsvw.exe
1968	mscorsvw.exe
1308	mscorsvw.exe
1308	mscorsvw.exe
2204	mscorsvw.exe
2204	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
2712	mscorsvw.exe
2712	mscorsvw.exe
1832	mscorsvw.exe
1832	mscorsvw.exe
1184	mscorsvw.exe
1184	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
2480	mscorsvw.exe
2480	mscorsvw.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ckppeebk.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\system32\kjmdgaaj.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\windows\system32\eoqgikmf.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\windows\system32\wbem\icefacga.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\gmligfgl.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\windows\system32\lghpflcc.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\system32\oobpcjpe.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\windows\system32\fgdijmin.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\bnqoiabc.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\windows\system32\kihcoodg.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\windows\system32\eadhpbmp.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\llkijgpd.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\cpkolbcc.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\program files (x86)\microsoft office\office14\kddffole.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\cnjglhae.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\program files\windows media player\gadofnlb.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\mdchciph.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File created	C:\Program Files\Internet Explorer\hegmepaf.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP83DF.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\bakffnio.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP93F6.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\fibplhfk.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\pdjgmpli.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85F2.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP99DF.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP95F9.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8B6E.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\makcjcak.tmp	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe
2584	mscorsvw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2672	c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe
Token: SeShutdownPrivilege	2584	mscorsvw.exe
Token: SeShutdownPrivilege	2308	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1184	1632	infocard.exe	38
PID 1632 wrote to memory of 1184	1632	infocard.exe	38
PID 1632 wrote to memory of 1184	1632	infocard.exe	38
PID 2584 wrote to memory of 396	2584	mscorsvw.exe	39
PID 2584 wrote to memory of 396	2584	mscorsvw.exe	39
PID 2584 wrote to memory of 396	2584	mscorsvw.exe	39
PID 2584 wrote to memory of 396	2584	mscorsvw.exe	39
PID 2584 wrote to memory of 848	2584	mscorsvw.exe	41
PID 2584 wrote to memory of 848	2584	mscorsvw.exe	41
PID 2584 wrote to memory of 848	2584	mscorsvw.exe	41
PID 2584 wrote to memory of 848	2584	mscorsvw.exe	41
PID 2584 wrote to memory of 2772	2584	mscorsvw.exe	42
PID 2584 wrote to memory of 2772	2584	mscorsvw.exe	42
PID 2584 wrote to memory of 2772	2584	mscorsvw.exe	42
PID 2584 wrote to memory of 2772	2584	mscorsvw.exe	42
PID 2584 wrote to memory of 796	2584	mscorsvw.exe	43
PID 2584 wrote to memory of 796	2584	mscorsvw.exe	43
PID 2584 wrote to memory of 796	2584	mscorsvw.exe	43
PID 2584 wrote to memory of 796	2584	mscorsvw.exe	43
PID 2584 wrote to memory of 2376	2584	mscorsvw.exe	44
PID 2584 wrote to memory of 2376	2584	mscorsvw.exe	44
PID 2584 wrote to memory of 2376	2584	mscorsvw.exe	44
PID 2584 wrote to memory of 2376	2584	mscorsvw.exe	44
PID 2584 wrote to memory of 2304	2584	mscorsvw.exe	45
PID 2584 wrote to memory of 2304	2584	mscorsvw.exe	45
PID 2584 wrote to memory of 2304	2584	mscorsvw.exe	45
PID 2584 wrote to memory of 2304	2584	mscorsvw.exe	45
PID 2584 wrote to memory of 1636	2584	mscorsvw.exe	46
PID 2584 wrote to memory of 1636	2584	mscorsvw.exe	46
PID 2584 wrote to memory of 1636	2584	mscorsvw.exe	46
PID 2584 wrote to memory of 1636	2584	mscorsvw.exe	46
PID 2584 wrote to memory of 3020	2584	mscorsvw.exe	47
PID 2584 wrote to memory of 3020	2584	mscorsvw.exe	47
PID 2584 wrote to memory of 3020	2584	mscorsvw.exe	47
PID 2584 wrote to memory of 3020	2584	mscorsvw.exe	47
PID 2584 wrote to memory of 2904	2584	mscorsvw.exe	48
PID 2584 wrote to memory of 2904	2584	mscorsvw.exe	48
PID 2584 wrote to memory of 2904	2584	mscorsvw.exe	48
PID 2584 wrote to memory of 2904	2584	mscorsvw.exe	48
PID 2584 wrote to memory of 3016	2584	mscorsvw.exe	49
PID 2584 wrote to memory of 3016	2584	mscorsvw.exe	49
PID 2584 wrote to memory of 3016	2584	mscorsvw.exe	49
PID 2584 wrote to memory of 3016	2584	mscorsvw.exe	49
PID 2584 wrote to memory of 2748	2584	mscorsvw.exe	50
PID 2584 wrote to memory of 2748	2584	mscorsvw.exe	50
PID 2584 wrote to memory of 2748	2584	mscorsvw.exe	50
PID 2584 wrote to memory of 2748	2584	mscorsvw.exe	50
PID 2584 wrote to memory of 2312	2584	mscorsvw.exe	51
PID 2584 wrote to memory of 2312	2584	mscorsvw.exe	51
PID 2584 wrote to memory of 2312	2584	mscorsvw.exe	51
PID 2584 wrote to memory of 2312	2584	mscorsvw.exe	51
PID 2584 wrote to memory of 2804	2584	mscorsvw.exe	52
PID 2584 wrote to memory of 2804	2584	mscorsvw.exe	52
PID 2584 wrote to memory of 2804	2584	mscorsvw.exe	52
PID 2584 wrote to memory of 2804	2584	mscorsvw.exe	52
PID 2584 wrote to memory of 1760	2584	mscorsvw.exe	53
PID 2584 wrote to memory of 1760	2584	mscorsvw.exe	53
PID 2584 wrote to memory of 1760	2584	mscorsvw.exe	53
PID 2584 wrote to memory of 1760	2584	mscorsvw.exe	53
PID 2584 wrote to memory of 272	2584	mscorsvw.exe	54
PID 2584 wrote to memory of 272	2584	mscorsvw.exe	54
PID 2584 wrote to memory of 272	2584	mscorsvw.exe	54
PID 2584 wrote to memory of 272	2584	mscorsvw.exe	54
PID 2584 wrote to memory of 532	2584	mscorsvw.exe	55

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\c18d5823f4808a892653eb231e6927e0df8e6e4d.exe
"C:\Users\Admin\AppData\Local\Temp\c18d5823f4808a892653eb231e6927e0df8e6e4d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1a8 -NGENProcess 1b0 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 238 -NGENProcess 218 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 1a8 -NGENProcess 1c0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1b8 -NGENProcess 23c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 240 -NGENProcess 1c0 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 24c -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 28c -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 278 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 270 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1c0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a4 -NGENProcess 264 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 248 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b4 -NGENProcess 270 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 278 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1c4 -NGENProcess 28c -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 274 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 260 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 214 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 274 -NGENProcess 238 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d0 -NGENProcess 238 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1fc -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1d0 -NGENProcess 214 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 2ac -NGENProcess 1fc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1fc -NGENProcess 238 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 280 -NGENProcess 274 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 2ac -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b0 -NGENProcess 238 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 238 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2ac -NGENProcess 2b4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 16c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 27c -NGENProcess 238 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 238 -NGENProcess 2ac -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2c0 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 278 -NGENProcess 27c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2c8 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2ac -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d0 -NGENProcess 27c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 27c -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ac -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2dc -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e8 -NGENProcess 2d4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d4 -NGENProcess 248 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f8 -NGENProcess 248 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 248 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2b0 -NGENProcess 2f0 -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 308 -NGENProcess 248 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2c8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 300 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 318 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2b0 -NGENProcess 320 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d4 -NGENProcess 314 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 328 -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2d4 -NGENProcess 320 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 33c -NGENProcess 2e8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2b0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 320 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2b0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 320 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 33c -NGENProcess 2e8 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 354 -NGENProcess 300 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 320 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2b0 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 300 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 320 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2b0 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 300 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 320 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 360 -NGENProcess 2b0 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 368 -NGENProcess 374 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 380 -NGENProcess 36c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 380 -NGENProcess 368 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 368 -NGENProcess 380 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 36c -NGENProcess 38c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 2e8 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 380 -NGENProcess 38c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 390 -NGENProcess 2e8 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 39c -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 388 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 388 -NGENProcess 380 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 394 -NGENProcess 3a4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a4 -NGENProcess 3a0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b4 -NGENProcess 390 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 394 -NGENProcess 39c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 368 -NGENProcess 388 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 388 -NGENProcess 390 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3c0 -NGENProcess 394 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 2c8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 2c8 -NGENProcess 388 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 3cc -NGENProcess 394 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3c8 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3b8 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3ac -NGENProcess 3d0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3d8 -NGENProcess 2c8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3d0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 2c8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 2c8 -NGENProcess 3d8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 2c8 -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 3c4 -NGENProcess 3d8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3f0 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f8 -NGENProcess 3e4 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3c8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3dc -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3e4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3c8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3dc -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 214 -NGENProcess 21c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1632 -s 436
  2⤵
  - Loads dropped DLL
  PID:1184

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
668KB

MD5
b0b284febb9b09b8180e7bfd4bd758fd

SHA1
9f96683f306bb60bfe397bc04f05ca8c91a933a2

SHA256
51f835e9da52cde7a79eb37719c12f0fa9afdc8b478b77375dbe9eb54bc87ad2

SHA512
4188c444e33ad531fdb3942bc85480029987d35f7e65e7a8ca93076f6d9c3f7e63021872a0f25034ea036c21697d172c9b2b0cb0d45a6104e9bfd58491462565

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a38fd1fe67e352289c0d515de23741a0

SHA1
f566a47ce9131dca3bf5ebc9d03deb5dfc13bad6

SHA256
7d4810344ecf3a92a2b0ac63330a5b4daedb1dd8d75271b3e4493b8552711bb1

SHA512
0060c83d0fcf29c14409e5c3a2cc4b65b360ef2bbb111264afe5be958a6fe429818e0c2f3db99df13b9614dac5a07bd073ad5ec8288c9600e636c59d1d76e100

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
698KB

MD5
576c6131967ce01add88008b2a1c146b

SHA1
258731e25d6a5a8904fe0b5e30f2f42652c4c4f9

SHA256
eee9af147c291dde8dc52d107c79b6270d75cfdf9fb58421c6339c1c2226b8cd

SHA512
6fe5ccc2bfec95cfe256fc9d6adec3cf7bd4663363b7f3c9a44c5af7405a6085c165dcc3030ac1be33f1c394be1e49dbf6bedc45baf3e7df887b232695a6b540

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
645KB

MD5
ce1b04ebf8ee79019f2d78fe1c7dfbb9

SHA1
a91ab21051ddbc1892af987ce45589cf9a529f14

SHA256
446616dc220bc1477861b7be5097307bb6f983f199b5bb067cfa2abc74caea81

SHA512
367456c026436ba067eecc19234ad642c91ec793831498836ce73cd2c024268c9026d1da1725a553cb6dfa5ede4f80568a8d5ef65da296f5d5b76339985d6e38

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
f44e928ff2a493d9fb8415807b376820

SHA1
53ef150226d196fb591ddf0b0d88facf8f177986

SHA256
4950e3d04f5e424168a54c58a3192f9eeac7af1f328b5e5c5de1fffe314d6ed6

SHA512
9bc2090e248ead992bb15d4e6095b3bb88e8fe81404d42de2e92c986956a8664bf4cf7baae4c92a96018951835db1becdc789dbd94e1a0f1da463a2220f4f9c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
676KB

MD5
58eadac057876bbd53fdb4f8868425d7

SHA1
954de519c4423f9b9c61ea2cd456944c1bba08eb

SHA256
b3a14d17a1897b20a1f900d876bb56a20ce72da18f65a15b70345635cc56f043

SHA512
6c2677f2df8218d105a6b89bee9fd951a7d1d0608333c3f592f25e10fb01ce7fe22ea634a286bb59125280b445f7c0cd3b537a9e35ba2a0805e8413d837191c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
de3cc3827a70fdc509bbaf70377fcee0

SHA1
b91dd35240375fe238a151b3249bbf9f5ee09cde

SHA256
4d27dd0467446c35193851687d4cfcc89105fa6e9ec3a4f9df61d1e44e1b8016

SHA512
1dd405ad3248689d8d0ba6ca26f79438b0d972eaba18f5ee3adea9d7a5e93f038414ff81c68a67da1a18d1747a2e7c2ed6648af88710956eaf61d311ff45e598

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d0dd3a362e28199a14d2a03a210b8d1\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
02ed0a38b099706ce08f9053dd360b49

SHA1
9f21d90c50cbfbdd2daa42ce17500daa04a7f17c

SHA256
b506f3d60185cdf9db0fc76adba9f808147f53e8ef18fbe73f63c3dd902f2b17

SHA512
dd9251584b102d579d69239d83cc9b6f7d099a82fb3976c3e45a119afe87c204f0957f9e11395dcace6dfa7bfef5fe7aa9ce256768e49331c7c2aeb2080d18db

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\677f702dae85e9e71dd263389b314e4c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
707dfd12050367afa559a46fb9f58cc3

SHA1
5de2d34f0244ea30a7cee2ce057911d496b275ec

SHA256
c573fbe5d6d82ded4bf0b6e009ec70ce0deb2b6a17d071941d4be4d7a533c4b2

SHA512
09129b72022fdd6853ab271997dfe452df1fecc718b07b334559c481f5524c9cbb9a36f3f51631046332b5841012d273882b8ce5e95c6d38a52b7634dc15e3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c5948330b949ea73b8dde2f00e110ff6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
0174f984bc59c041b96eb1bdd2f18dd7

SHA1
3c5ddd550841139eae08a2b03c9b94020994d607

SHA256
1ef5b4255830be9149555b6c51709cc3d3d440521387c894f79de64eaab8e99f

SHA512
7d76f94df5aca296dd772a6e04d171d37f10619f5fd2a9e12ca92b5179512121c7534eee0f9ae05f2e224f9abe579853111e2c8ff22f4cb2a524e6622eb23525

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ebab1d0b27213a6b8ef77ac89077c162\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
4e10d217644432c61724564d9da0ca8e

SHA1
bcbf25fafad9202f72915ab53d303ee4e3fb1e2b

SHA256
20d1b6565dd8dcecad41cbd81acfc07c668d31794e2aeae02a02d8b7ea0facaf

SHA512
1bc81e669c057b0ba6e7307c57abba654b863a5b9803a75c88f7a6bd2c4e0b84743dd553440938797ceea36ca8c08ad98e410cfe3535e03d7f3d50c681dc436d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
726KB

MD5
560dcdd88ee82e46d308ad8b89fb6842

SHA1
c7109e7e9283177badcf8107dd601fc1bd081eba

SHA256
7be937c6d7d227f2aac0c96a72e5c90a7aeeee9b5a33859cf51f63f00fc034ba

SHA512
b6648d31fceb75bba15a4b59b7aeea8cdbb1e9d39cc57302cc13abe9b26c77d35421101edf0474c13c620fe06989c0c00c8268d2740ca0550c54548b3cd7f30b

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
170bba4e2607ff6a75374a6688545234

SHA1
8d94f1dc05ee844b427af1e83e0df35c12ab33e1

SHA256
0fb4a03dc4b7ca36183fea891fcc0a5238c452552b0fb81deb54ac061c9a2712

SHA512
53ff1ed1696e52dc794cbdce5f756a9ea5974e3cdbd1ea9d1b23ada43754a5e464816a42d59674c2ee3fb015483ed889114a1e680fc24921517d3d12160bf509

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
801KB

MD5
676ca1797292edd4ef02b4e70ca07136

SHA1
61a3a0fd6662b9951755779b28d97174abfa6bb3

SHA256
ad2dc75bbd6a000eab3f8ac5b27a15333d720d52483ccc249c7a5ee0398eb437

SHA512
7961a6090b5d7f3a96221d72fdfe84a0b7b493514dd487f073dd3f7dc0952dab9bf155f1c048f272df8701e08d346cfb2cc76b82b2eaba00666732c0f2d17097

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
355fcafe966143c51cb931ba22252ef6

SHA1
83e52a8f61b0ac7f9dc4d7d30c68351cd5deca1e

SHA256
2aa09b73486a8b79370c8d1b4017be0dd1f3e1f94f65b3f336a1630e321aa122

SHA512
16a00fe23976bdeef75cff2004b7ee049144adfa3784c167b838e7a0734293bac9763063737fbbc02e0732ced4bd7dcee1e207ede97a3dd907e34097bb8fa886

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3fd5d155558f61f65718e9c1f223446f

SHA1
060788e1e3a0b7d3a613a56fd1ed3ab83e6b6eca

SHA256
125befdf7e98ff19924d23cdfa20ab10e97a7ef1cd339f9cff166026e109f295

SHA512
afcbe53f01a81d3482d8434c7559171f9d88ba618ea9926be3ca650a757bc9e7b5f96e77765f0e14f7f9ac602e88771df9497e9dc957091ba7b3ed97556c1c32

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
711KB

MD5
10f82684d95c4823cd587baa74ab370a

SHA1
5b6ddae6cae23e0fc8339d17fbc052999df1338a

SHA256
5b6764e2153e972b482103b1928918e875b395330b70bcb4d6144ece8dc626c1

SHA512
5d14cb3e22d04cc597ca2d0b6a00c56a609855711d269c71394a52c87b1aafa75efdc1b60977cb9a2bb3587e5675234ace978d9f32a3f585064691c45958cc5c

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
623KB

MD5
402e3c940ad05a28706fcf2ca2fea56d

SHA1
8a5f248c2e039fdfda854f65ccf54f227f730b2c

SHA256
b0eb659b79ea48b0db1dd78c8cff2c990b752301b216c3ebac93868077c0d805

SHA512
facef99c62ed62dc496d29f7ed495cda6c2becb8e27ca0800c39e34fa9b6a0e44b2bf39c512fcf9413277f384f8cf7bbeeb122e1c4d0119037ba0d73928b9df1

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
664KB

MD5
dd8a44218b4f5c31cafa86cf9cce524c

SHA1
b9fc3956786d519a931659247d0d623c84eecc58

SHA256
a7c7a3bc89ef63efa98edfb4c13982b493a1e8dfc0e8490a480a918110ae7f5a

SHA512
71199ee03f3902f39e431e996201bbca7b82f43c816158f0fc9b3a6c88bfe452010f716da28a2970fcd4f54e5a36596ca9e5d62ebfb8d53ba2bb42a0286e1bc0

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
cf0077c1a30a68178d8f0582fd4f2bc2

SHA1
66181759d9491ffc601f27810195f6c8a6ae839c

SHA256
6ab365864e7461f501464e60ba030bcca53ce5d975ee179ba6b135139d3cc211

SHA512
94dc8886dc309a35b79b1625be2477acb2755e8b720d6c0d4f4ff79f195f2930193c8f2e3f6dd8c0c4111ddec513a73fafcd3a04c4740243645dbdf08e06d0ba

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
725KB

MD5
601fabd06ed01941833557a5f6406f3a

SHA1
d389a07be182d4c24e8b83de5c425243acf15a5b

SHA256
f022d6a26f22f1daf5b1dcad97a7ad22dbb28fb4996bdb1c23ce7cbdb0e880b8

SHA512
57a33de0004968c21b1603bbe01b0539d66b239f5c21ca59ebb1f9d8846d0fbb7323e1050af1b817c618b4b9ae97ac108164f2b73a38a18f9e3ba525c70ae232

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
711KB

MD5
8b5fdef88b4b8f5c8395924a41283fcf

SHA1
fcfb8ecee1b854f5f8e8d1606ac7eb84dbe3aea0

SHA256
eae888f6c255469ee2d0dc3f76c2b62857e463ee709b746e9bc6262da7890adc

SHA512
1af94befdf4a46ed4a7f5c3d7319cf7be662354dbe7662c85eefe3cb53cb6dfd88f1793ee571a2f5d9890f56814229fba7aa02445b746a0fc5bb52bd8ae5cdda

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
648ab039a3d10ad7fb8dff76499fb44f

SHA1
84b2febb2a7f31c254f74e86ffa527856426b0fd

SHA256
2a9f3e332bff76f174a5f995030ad2f5d5db2aa9c8a88eb09f7c3ec5f3f10674

SHA512
7b182fa4fafcac7f1d1193a860dd85d07cb8ff1d56a9f2541433dcc795fa5dd32f0551527924c597b0cd2eaab9c037a0ad0c8d6a0f1411c8c0aaba4d9316c6b1

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
601KB

MD5
da257379f6eccd927de04f4db8ed9ac1

SHA1
d616d48f8af0573bf608d4c5e249a06a4f5e276e

SHA256
cd2b2d53aeeabe7c927ff9c1f9075bf87954e295122591a0ef9f680909018f17

SHA512
609fcca1d7383ca8995836e1f009a2a47e1359e26e9951337e3305f0b2ce8aa05e69425f1799bc2d2ac1b4f30cd953ccbdbfbd185503874e82af16192436bb31

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
627KB

MD5
6fb68bd842c6473003edbc5c87269d32

SHA1
b2c5a1761c3b13ef752692b5691b64be1e9e2e57

SHA256
1ccef6b8a0f478d28f3d3333d87028df81d3b039141e6c9cf89387b4c1a0e4ae

SHA512
a4cee63a5b516407f1f1019502836113ac425f2f7787e2d420d674f07be8c877735e4936e1fdcb95e08fd9f3ecc56454c77e3650bc887144ac98e96e5210e00a

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
5fc4c5a17d2ee55afcb6b37528291e54

SHA1
c327823c71a26ec6ffcb7de375dcddb471c211a1

SHA256
a8890b4ae9d2e09be70ed9cf5d3d5bfb1c11d44ed3b6b4d73cb6446646cc7feb

SHA512
8471d8dd04b3c3d4ebf0a10b1a8e4a67f0f1c74155deba7ec567dca327c751a9988e55a999f0a8b746d107f538ce4dca1577a199dac7985a412ec406eb03d9d5

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
ee33bb108570578dd8b07e028166e76b

SHA1
eb27cf7a32fe294160e6c941e8e5a44571a2ee9a

SHA256
f737b0a8d1197d58ae370a4bfa39d6b06cac312136cc719f9687568d062ab0a7

SHA512
07adff2eb2fb79b3bc58cd59f6058df442b793e8d362780f0860cede55cc5322393f77b6c89ddab8cff3ae7e2b2fe129663ed6f5d7f728055d4ac50950229b71

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
785KB

MD5
5b5ac96d48f494d09d404e86584b140d

SHA1
6db8e405f1eb3bd2e14ecef697c397f68bf64330

SHA256
0c7d5ac915a6e5b3d628a33e3aba53a00b53671b2c073e9246d737ae892e2b4b

SHA512
83b7e4b9dfc93130a5484b8e948ddd5f935ee68faa2134d9cb4be9cfb1148d1e524e7f56f784d03d33aa492e749d7b5bad566e7a0329dd63fc0949d30c3aed55

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
414847a90a46fdad6219603b71d05eca

SHA1
185ba12c0aa781170c5b50e54f7179dae6aa6138

SHA256
f18dd8f5c2871a5d8bbe9ff38ccb6e251ff287b5f1340e970a7f73b0e6b433fd

SHA512
a8824e64c8adc29c72576c55ea1a0c57b438dd5fdf191aadaa241edab02fdd038fbc6820e2f716ceb6704250560f9c9a89d53cf63844f8dd3fe5b2fc7f775112

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.2MB

MD5
615281942711de10a7cf51624af2acc5

SHA1
74e70b5fe42ad660b0e860bd950d7ecc26c5107e

SHA256
a80b4c768057ccf175382429e0b3a539370c0c310f3751222d4bdc296cb99867

SHA512
f582c30a506abdc8e3be4d7eabb8dabe7ceb627b8619654e1e1595de708e3e91ab15b6b07d8c903a2ba99fb53a2f5b435928d3ee9007ce861756c80318cbf6cf

Download Submit
\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

Filesize
1.4MB

MD5
70c16dd0d5a67c8489a352f9c747f2a6

SHA1
6017d5c15852d4dca6ae41ffe069f7d748f0d4c1

SHA256
7facc2df13978e085df2e903c5d28baae64f7f93fc560d5a363db027fb05d9be

SHA512
fb51c4e178243161aa40b4003ebc82b36ea609142b91cf65f0eb7d6030bd5ff3b058ab16dad0aae4cb151d7a7678bb3649081312c6962089b2f13f12951a2838

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
694KB

MD5
a847428ea3d1f7f4106e28b8c2b40a6f

SHA1
60ae30732671230a789901e28d5cd53f8851e5ee

SHA256
b8b4cc22341b94ed69c9c56b6f97125ba9ab6108c7863f18710feb0a8ca4f7f6

SHA512
0e8e9903fcb7c7b89c0599487d238204631cb2d9a94d501cf1561191ef4227d61b0def7170db7303d2ab5efe0326914d507bff43a762103cc541624dd8e392ad

Download Submit
memory/272-225-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/272-222-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/272-223-0x0000000005660000-0x000000000571A000-memory.dmp

Filesize
744KB

Download
memory/284-327-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/284-328-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/292-239-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/396-165-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/396-181-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/396-100-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/464-287-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/464-289-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/532-227-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/544-229-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/764-302-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/764-288-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/796-191-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/796-197-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/848-180-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/848-184-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/928-315-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/928-326-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1108-244-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1108-246-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1108-338-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1108-340-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1144-236-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-238-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1364-339-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1448-303-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1448-314-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1552-352-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1632-90-0x000000001B460000-0x000000001B4EF000-memory.dmp

Filesize
572KB

Download
memory/1636-205-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1636-203-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1760-221-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1760-218-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/1760-82-0x0000000140000000-0x000000014039C000-memory.dmp

Filesize
3.6MB

Download
memory/1776-243-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1776-245-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1924-316-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2024-275-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2024-286-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2072-304-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2100-350-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2304-202-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2308-106-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/2308-59-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/2312-215-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2364-232-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2364-234-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2376-200-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2428-272-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2544-231-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2584-261-0x0000000000930000-0x000000000094A000-memory.dmp

Filesize
104KB

Download
memory/2584-259-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/2584-268-0x0000000000930000-0x0000000000954000-memory.dmp

Filesize
144KB

Download
memory/2584-266-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2584-267-0x0000000003BE0000-0x0000000003C68000-memory.dmp

Filesize
544KB

Download
memory/2584-97-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2584-265-0x0000000003BE0000-0x0000000003CCC000-memory.dmp

Filesize
944KB

Download
memory/2584-264-0x0000000003BE0000-0x0000000003D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-263-0x0000000003BE0000-0x0000000003C84000-memory.dmp

Filesize
656KB

Download
memory/2584-262-0x0000000003BE0000-0x0000000003C6C000-memory.dmp

Filesize
560KB

Download
memory/2584-48-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2584-270-0x0000000000930000-0x000000000095A000-memory.dmp

Filesize
168KB

Download
memory/2584-260-0x0000000000930000-0x000000000094E000-memory.dmp

Filesize
120KB

Download
memory/2584-269-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/2584-47-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2584-271-0x00000000036A0000-0x0000000003706000-memory.dmp

Filesize
408KB

Download
memory/2672-2-0x0000000100000000-0x00000001002E9000-memory.dmp

Filesize
2.9MB

Download
memory/2672-1-0x0000000100020000-0x0000000100021000-memory.dmp

Filesize
4KB

Download
memory/2672-351-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2672-198-0x0000000100000000-0x00000001002E9000-memory.dmp

Filesize
2.9MB

Download
memory/2672-0-0x0000000100000000-0x00000001002E9000-memory.dmp

Filesize
2.9MB

Download
memory/2672-362-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2732-35-0x0000000010000000-0x00000000101D8000-memory.dmp

Filesize
1.8MB

Download
memory/2732-18-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2732-17-0x0000000010000000-0x00000000101D8000-memory.dmp

Filesize
1.8MB

Download
memory/2748-214-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2748-212-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2752-273-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2772-192-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2772-183-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2804-219-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2832-276-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2844-274-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2896-45-0x0000000010000000-0x000000001020C000-memory.dmp

Filesize
2.0MB

Download
memory/2896-33-0x0000000010000000-0x000000001020C000-memory.dmp

Filesize
2.0MB

Download
memory/2896-32-0x0000000010000000-0x000000001020C000-memory.dmp

Filesize
2.0MB

Download
memory/2904-209-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2980-240-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2984-179-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/2984-247-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/2984-109-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/3016-211-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/3020-207-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download