3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Size

1.7MB
MD5

c9cf7dc454e98b34d50e0bc23f34cc68
SHA1

55825272c2deff94c6942ef1cdf2ec9624d46269
SHA256

3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a
SHA512

05946b93d4d5a2ef8cf435a2fd406378694da7f4bb6f8daa4be6fd1502b464ea0c1cbf38c1ba6e58f147351394faa8f44fcfd8604f9be2fd719538966fbd563b
SSDEEP

24576:aWd7S8NK3oYpkTcDvebZI7LrS/85RkVt7jUSkQ/7Gb8NLEbeZ:aKxNupkTcKb4rSUfkVFjtkQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2936	alg.exe
2692	aspnet_state.exe
2452	mscorsvw.exe
1472	mscorsvw.exe
2980	mscorsvw.exe
2088	mscorsvw.exe
2092	ehRecvr.exe
2912	ehsched.exe
2296	elevation_service.exe
2020	IEEtwCollector.exe
2504	GROOVE.EXE
2112	maintenanceservice.exe
1468	msdtc.exe
2308	msiexec.exe
2700	mscorsvw.exe
2928	OSE.EXE
2724	perfhost.exe
2560	locator.exe
2592	snmptrap.exe
860	vds.exe
320	mscorsvw.exe
2740	vssvc.exe
2200	wbengine.exe
1672	mscorsvw.exe
2756	WmiApSrv.exe
1088	wmpnetwk.exe
936	SearchIndexer.exe
2408	mscorsvw.exe
320	mscorsvw.exe
880	mscorsvw.exe
612	mscorsvw.exe
2196	mscorsvw.exe
1804	mscorsvw.exe
960	mscorsvw.exe
1356	mscorsvw.exe
2396	mscorsvw.exe
2948	mscorsvw.exe
1724	mscorsvw.exe
2176	mscorsvw.exe
1584	mscorsvw.exe
2660	mscorsvw.exe
676	mscorsvw.exe
1016	mscorsvw.exe
2280	mscorsvw.exe
2400	mscorsvw.exe
1120	mscorsvw.exe
1800	mscorsvw.exe
2632	mscorsvw.exe
948	mscorsvw.exe
2904	mscorsvw.exe
2868	mscorsvw.exe
2204	mscorsvw.exe
2256	mscorsvw.exe
2964	mscorsvw.exe
2588	mscorsvw.exe
2160	mscorsvw.exe
1528	mscorsvw.exe
2848	mscorsvw.exe
2324	mscorsvw.exe
2260	mscorsvw.exe
2684	mscorsvw.exe
1976	mscorsvw.exe
2160	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2308	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
740	Process not Found
2964	mscorsvw.exe
2964	mscorsvw.exe
2160	mscorsvw.exe
2160	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
2260	mscorsvw.exe
2260	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
2488	mscorsvw.exe
2488	mscorsvw.exe
1000	mscorsvw.exe
1000	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2876	mscorsvw.exe
2876	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2160	mscorsvw.exe
2160	mscorsvw.exe
976	mscorsvw.exe
976	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
2964	mscorsvw.exe
2964	mscorsvw.exe
2056	mscorsvw.exe
2056	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\locator.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66eac8395f6c6349.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A33.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3E19.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP34E6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22BD.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP46E0.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13FE.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3302.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000446dabda81db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2844	jp2launcher.exe
1820	ehRec.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: 33	2264	EhTray.exe
Token: SeIncBasePriorityPrivilege	2264	EhTray.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeDebugPrivilege	1820	ehRec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeSecurityPrivilege	2308	msiexec.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeBackupPrivilege	2200	wbengine.exe
Token: SeRestorePrivilege	2200	wbengine.exe
Token: SeSecurityPrivilege	2200	wbengine.exe
Token: 33	2264	EhTray.exe
Token: SeIncBasePriorityPrivilege	2264	EhTray.exe
Token: SeManageVolumePrivilege	936	SearchIndexer.exe
Token: 33	936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	936	SearchIndexer.exe
Token: 33	1088	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1088	wmpnetwk.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeDebugPrivilege	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Token: SeDebugPrivilege	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Token: SeDebugPrivilege	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Token: SeDebugPrivilege	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Token: SeDebugPrivilege	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe
Token: SeShutdownPrivilege	2088	mscorsvw.exe
Token: SeShutdownPrivilege	2980	mscorsvw.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
2264	EhTray.exe
2264	EhTray.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
2264	EhTray.exe
2264	EhTray.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
2844	jp2launcher.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
2492	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
1368	SearchProtocolHost.exe
2492	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2060	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe	30
PID 1996 wrote to memory of 2060	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe	30
PID 1996 wrote to memory of 2060	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe	30
PID 1996 wrote to memory of 2060	1996	3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe	30
PID 2060 wrote to memory of 2844	2060	javaws.exe	31
PID 2060 wrote to memory of 2844	2060	javaws.exe	31
PID 2060 wrote to memory of 2844	2060	javaws.exe	31
PID 2980 wrote to memory of 2700	2980	mscorsvw.exe	48
PID 2980 wrote to memory of 2700	2980	mscorsvw.exe	48
PID 2980 wrote to memory of 2700	2980	mscorsvw.exe	48
PID 2980 wrote to memory of 2700	2980	mscorsvw.exe	48
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 1672	2980	mscorsvw.exe	57
PID 2980 wrote to memory of 1672	2980	mscorsvw.exe	57
PID 2980 wrote to memory of 1672	2980	mscorsvw.exe	57
PID 2980 wrote to memory of 1672	2980	mscorsvw.exe	57
PID 936 wrote to memory of 2492	936	SearchIndexer.exe	61
PID 936 wrote to memory of 2492	936	SearchIndexer.exe	61
PID 936 wrote to memory of 2492	936	SearchIndexer.exe	61
PID 2980 wrote to memory of 2408	2980	mscorsvw.exe	62
PID 2980 wrote to memory of 2408	2980	mscorsvw.exe	62
PID 2980 wrote to memory of 2408	2980	mscorsvw.exe	62
PID 2980 wrote to memory of 2408	2980	mscorsvw.exe	62
PID 936 wrote to memory of 2316	936	SearchIndexer.exe	63
PID 936 wrote to memory of 2316	936	SearchIndexer.exe	63
PID 936 wrote to memory of 2316	936	SearchIndexer.exe	63
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 320	2980	mscorsvw.exe	64
PID 2980 wrote to memory of 880	2980	mscorsvw.exe	65
PID 2980 wrote to memory of 880	2980	mscorsvw.exe	65
PID 2980 wrote to memory of 880	2980	mscorsvw.exe	65
PID 2980 wrote to memory of 880	2980	mscorsvw.exe	65
PID 2980 wrote to memory of 612	2980	mscorsvw.exe	66
PID 2980 wrote to memory of 612	2980	mscorsvw.exe	66
PID 2980 wrote to memory of 612	2980	mscorsvw.exe	66
PID 2980 wrote to memory of 612	2980	mscorsvw.exe	66
PID 2980 wrote to memory of 2196	2980	mscorsvw.exe	67
PID 2980 wrote to memory of 2196	2980	mscorsvw.exe	67
PID 2980 wrote to memory of 2196	2980	mscorsvw.exe	67
PID 2980 wrote to memory of 2196	2980	mscorsvw.exe	67
PID 2980 wrote to memory of 1804	2980	mscorsvw.exe	68
PID 2980 wrote to memory of 1804	2980	mscorsvw.exe	68
PID 2980 wrote to memory of 1804	2980	mscorsvw.exe	68
PID 2980 wrote to memory of 1804	2980	mscorsvw.exe	68
PID 2980 wrote to memory of 960	2980	mscorsvw.exe	69
PID 2980 wrote to memory of 960	2980	mscorsvw.exe	69
PID 2980 wrote to memory of 960	2980	mscorsvw.exe	69
PID 2980 wrote to memory of 960	2980	mscorsvw.exe	69
PID 2980 wrote to memory of 1356	2980	mscorsvw.exe	70
PID 2980 wrote to memory of 1356	2980	mscorsvw.exe	70
PID 2980 wrote to memory of 1356	2980	mscorsvw.exe	70
PID 2980 wrote to memory of 1356	2980	mscorsvw.exe	70
PID 2980 wrote to memory of 2396	2980	mscorsvw.exe	71
PID 2980 wrote to memory of 2396	2980	mscorsvw.exe	71
PID 2980 wrote to memory of 2396	2980	mscorsvw.exe	71
PID 2980 wrote to memory of 2396	2980	mscorsvw.exe	71
PID 2980 wrote to memory of 2948	2980	mscorsvw.exe	72
PID 2980 wrote to memory of 2948	2980	mscorsvw.exe	72
PID 2980 wrote to memory of 2948	2980	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe
"C:\Users\Admin\AppData\Local\Temp\3ad3101970c6f20bd5b03f52a7d1bdb4c30ff29382af466d20310c13164e278a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files\Java\jre7\bin\javaws.exe
  "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files\Java\jre7\bin\jp2launcher.exe
    "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2844

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 254 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1f0 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 25c -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 220 -NGENProcess 25c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d8 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 220 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 220 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1e8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1e8 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2ac -NGENProcess 220 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 220 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2a4 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 244 -NGENProcess 2ac -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f0 -NGENProcess 2ac -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 250 -NGENProcess 2a4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a8 -NGENProcess 250 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c0 -NGENProcess 1f0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 1f0 -NGENProcess 2b0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2c8 -NGENProcess 250 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 250 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2d0 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f8 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 314 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 2f8 -NGENProcess 368 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 36c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 310 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 314 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 314 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 384 -NGENProcess 310 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 2f8 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:948

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2092

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
6c7d030d0b4ecd17575706dd5be350df

SHA1
16498029fb31cfdd34f42a2e273732f0368a1d5d

SHA256
eb9ff15bf1cb24cd3b6d1d8bf343220e1733f46d1ca77825dc33bc69793a4f19

SHA512
121f6cdeeeaa49ff646fcef38a1a6b7b3795f22f563ff3f63d5f48214c739489d23127ac5e1e150b3fe77d6af066509a3c6894ec84d758bc238961bbad44bd5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6e31c856cf1268e3492c37a2563cdd0b

SHA1
fddb7b97dfb65898366784c4587568bc90d48062

SHA256
90742ab3de5da24ba0a94cd4bf93ed460601ca52257381ed7d2a42edf0f739da

SHA512
194f22429121bb8b46e853965a522c143a970540893eef2166e24227a1ea66ad1f83735281b0384bc5e29993c626365fd3c255ffbb7d4379617b2e4490bc4e43

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5609524a975d2131c8460b09e321c33e

SHA1
f5d0ccf2cab325b2058baef0b20407b211c98406

SHA256
a30fd2af51b2470f8f3bf68699900bdd2a65806b0ad5922f4aa2b68829be7c9d

SHA512
280c8000b7cd8ce2594ec676c31993d9495a38890bccd6f568964062e6680f86a990852128da04ce23206564a884e505470a496a32451fa294e588a5ebdc7dbb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c703064b9a2e996387fe07a766c3f436

SHA1
65e5d6759fa2627349fd2b4e30a7743cf1f49559

SHA256
c6187d5d2a14b69b2743d61ca6ff42753266fdf0ea5928e6da12e3356ee4aef3

SHA512
daf9b88c0719bc3d7a2d63348b44a5cee157b751223083743a50ec1a3444a5314f6e0d2f63e59dad7ed7dba26cb3280b049cf4ab7cd9ee3a9e41ce18aebd8b5d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d45e3834e75bbcdf5b94fda7a370a039

SHA1
d3989dd184620d1c4eb7dfb800804a70822d5a60

SHA256
59c2328d0465d0b72420a9e77b3ad0d9f3fdc880ed35a8b1fe579ce33edb4591

SHA512
0bcfb88a657ccd8e5a3be7b04cf11fa0747c913db70c890d3e69d3439efa42f5ae1ea6c27169a6b0d134d56cca9d7760bebf04fa732ffbfbc658fbadabd6e3ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-17972cd0

Filesize
12KB

MD5
f9e48186bd918afaf08544e709341184

SHA1
978f291344ab0d51dddcb661dbf05034073f15aa

SHA256
32ec1dd00faab8c0fbd489644fef40f70a509fbdb578e1b9854876f380572ca4

SHA512
f735a4d6dd3620a51c2e1454c2a105c83b76bf26b5f9f1df3ce79308b56c6a9789ed49e527eedbb1723714fffaac247b374f2f188dcdf53249fd65214e8dbb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
685B

MD5
bdf4cdd53b3d2792aa499c88346d20c5

SHA1
ebb1b32865efa789dd1e023218619e9abc66bd5b

SHA256
c2713ec0f451f02233820674738f15192a87805d2a81651dcc44d6e1a90f98ce

SHA512
e71c65435202a4f8b1cfbdc30b87d183559805de1e02ee3df6e70cb20a8849bbd4eec81cbd82ccc5139ddfc9af0cb6fad1c7ada316dd04c2de20099be1043b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache3612266988793042802.tmp

Filesize
12KB

MD5
f47403fc5f6534d1eb5e6a4088c86d84

SHA1
ed2116d28be10439a9f35145a21535ecfba196f5

SHA256
ec77ef8b1cbf32edf02950406ca4fcb7edcef00bf498b1a714d734363881b97a

SHA512
937af202eedc100d0cd146554cbd2a98c580210ece2f0e92a1f7d6d1dfc49cd9f0e47867e707fb6e57725ae62210d38af2df25062ac838e3ac42b3b4c37ec90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
188fe91059eb34ed3ce3b89697d1d777

SHA1
0dbe79b6eda946d4a9cd5ab07d02427fe2d9474d

SHA256
d681260c8f4ab683ff7cf7e070eb5c5df74a5abf4b82a310b8d6f14de654175f

SHA512
7c0c388863a7f9c2792280eadf8325e56db2555511ed2abd94f1f88aec7c32e93ba86980a4ca14e95def0cef314f92919808080e75cb9cd36e68550a149038a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
f7cbb72d47001d71ffc902048bf1c2f1

SHA1
97f7366131f1a1602754fba7f71b7180de2cb7e8

SHA256
574e97888bfcb1f4f55a364b04c03d2a7b4c48fb55d7c33be86bd6a6d2d76be5

SHA512
722fdcc3c3254a38674cd7e70206d552abebf60995a87fc8ccee322bbe3c020948fb51572b71be9d6851fc61a341ee4bb7456797f405704840c2fe94189caa3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RQPXRREBJ3110ZSI0NIC.temp

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a4fa93707c342b975ef62ec9412c646a

SHA1
68682af573b54546f9d58804a6ee017f08cb3dd9

SHA256
b8b66f363aac2bd9f414e76f0620ad3bba33cfc3b4f892a12a058bcc2aad6cb1

SHA512
d326189edc4b6ac1fe36455dd42c1f8296bf865324b3c0a83ea5be5b69703baf97c3503e90f0e8236a7710a322062afa22f65e4ffa8b4fc2f750ab33cf172752

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
7e4da4133790de6955122deeb3cfbd3b

SHA1
620e0ca10016dbe0af97ee82c61e3d3607da6515

SHA256
e4a7e1ce6ae3023fae074205f5d686740bae9ef0bd1db4f9771255780324a563

SHA512
366eab7dc5dd26fd91fbfaeb23b2687e35f6ceb2e7fa561a15a31b858ec2723802dedb25d443ac48e776cd2df9d40170085b88b368a1a38cd86e0d2c66329d88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7f94863bb0bdbb419cbe2248bc62830f

SHA1
072008382fc3745ede5220a654c0b4cf203962f0

SHA256
397642a086ec69889459bb29fa0104bc23965c896596f93ad36c01dc520437e1

SHA512
dd9857ff08b40a87ecb03ea7960399f61361b16220e5ef0cff2f7d551b3589d52ee38f69b655ae5569b72784bf23816acbdb6b92b931df80ff38d44309cc7991

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
2e7c48f5522185e8dfbec6d081b5972f

SHA1
5f459bef84acaa34242363eb0b6472ec0301f1fa

SHA256
49d06ccacbc76fae8c37e02009760e70da029cf0b77c4a7d0b235a73b0a19458

SHA512
29d7c03dae0a92efd62e3188ded0b24adc6163be3c4695883e257146175f6d1eb5b2294e77e9671fd0a69f8fa5b64014fe820d6c27e4cb64c49fc3fdcb9e5953

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e14d761857488ea258917169d9e61b64

SHA1
78815e8793d7a13c264e6a02466ad3cdea12c6a0

SHA256
3594f96f4b315b54c261789f94ef02acd96386ca072ec9d271f3d0d0b47bdd94

SHA512
87f7ca891c9af2adbda95bc31f77b23565e815d4672813d7f859e2918bb6e4f43574dc2cf710ace473a446dccf8860d7b1e59f293422a326ad747bdaa992a970

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
1052ec06eaf95210fcba89f559d3d000

SHA1
8be0ee343dd7cda6c235ed7c37bd6cb31da6de3f

SHA256
738f19ce36729c7609bd652cd5a66b68e5e9e749cab3c411d69bc0575be2bd31

SHA512
6fd6e7ed465fea2585c323c8f18bfb3f1e8dc494d6b16bd36e89bf07ef8cfde6ff06de273b88b9536b7af57f84904ddbf5d030e802c474136352c35cf4f116fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0e8750a0dde9dbeebf4646147c891738

SHA1
e25644dc1351a86e2d0b7815c7bd75a12d85c0e0

SHA256
5e2bf35d92575f8c7bdb6fb1243a15e3a83c64d78f4c01f970e453379235123e

SHA512
2b3e569558b593a77d78cb877c2ee9513cf2799c833022e44309f652d2abdafb365c7fea1d73363bc3a9325d803411cfd79cb60fa07984fb295c83af2806902b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2b80b6f7c5c3e0e5d405fa67cfe26d0a

SHA1
bd6f0f7e0009fb16073629e03826978bd2677b4e

SHA256
a65d9d3b739358a42968cc82cc1a52fc21ab8d5d42adbbb803ab7bb09c8e758b

SHA512
c8d1de4d7427347d46f88745ddd99cf1afa26d9600a8a00dd5be5cf00532c242336da3b1e4f4a717237a9cdc5a3b20810a20b5c545077c0b339aa024fba85adc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
61e02ff97f355ddbbd0bd8f421d40ddc

SHA1
19db10957626a4db981c18e8c79e73a9c46a76b1

SHA256
744fa0563d7fba80e14118dcb9ff302a3600503c709712dd6598f13cab251dfe

SHA512
16833db5744deb8dd74898d2b91a95a7580b337dfa558d0faa38e857cadc8d41511fae04b805bac82bbb54f0aefb485b072dcc0ef70eb17d418f42079b010702

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
2b05a6135aff6babe8405944d40dd566

SHA1
ea64aae24ac44d24bfe9e7ea1a7e8949cfb28f6c

SHA256
63907b05d449f2bd7e283a679f4a0746a6a5ffba508c3c28393d43a0ef332315

SHA512
b565b25fd86db50d9fd7ee21e399ffcb87e4067ee9c39d9b59d1ce37511e7762562fe8d4f1c0ac5e939e3384172b668cef6a79a0bf0d5cf074dc0101b6890818

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
e59041e81b056375b2333102b6d82117

SHA1
484e64292d3657051541ba8810675c35c63838bc

SHA256
358f75317f6f7e7cad6c5095eb16c5635f548a75aac0c572bec25c241da04977

SHA512
88dfc1c025485742f28e1b4e2b4b625d5f7ea1dd811f6830b1b542f56524db7d20e1d3ca1296b2db912ab11e96e19eb654921d05feabd4629cbcd4fa20ecfe03

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
e3ea1725b579d53099cb220e45aed430

SHA1
a74c5f75c1bf4f53c350b037ded32e8ddb66ad7c

SHA256
4fb16b28c3bb301004de0d2bb5661811d391f9139afdf05d27b69a96a10a5017

SHA512
e771c03de0ec6b952b9a96e4c2752a813234e0ddabf6429cba9a20a899237bf395f1be92732464f8a019517f2955b4d2a92ee46436d55af22ec407ae22ccd9e3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
826332406159832c958cce2a1ddb1f33

SHA1
963799581bad037a59109a54dcff5adc24fe4eba

SHA256
c92219b3433f31d430eaba707233eb55c805f2ed5e660df8e43b9ade411f2906

SHA512
2090e4b82eb921a1b04c89c6dc4420c75625817a44f54778a23e5461b562ca42c210953523d2960f6dc73e519eb670962f61717bfd326e758c93bd066471ef24

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
de201561519d0ecd8321620e1f64cb8e

SHA1
72378e8db3c47f349c02711fb5471514791b5829

SHA256
5d38c0407314d49552bb4f55f1312dfa887cd9b36b55a8dd80304a0e7ac8aaf5

SHA512
0f3797290528b3cf22c8aaf15ea1e24bc41472c8309d667c612d1ef80be16d415272d7cb214c8ede421e720606d7632739328a633430eef18663314db9eb6150

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d4dcca5061e0f301564a1e3aa3fa02c0

SHA1
29c5f5f01fad9dbb647d8b75f6ebe2eb6a038663

SHA256
6b12b02ee74820adc82df5cdd84d9b3c57f76f4b229850c339c87ef1ca140eb3

SHA512
394b9590468532270431321e553af825b5964208bd0a134fa1a763b9adf5a0d4d3078b558db8d10bfd100a2b3aa4f3a65357d848447bf41d0f3b310ac9af6067

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
d7428c30f4e84efdd82f6205bf5dc356

SHA1
d3573c604100b3f9af60a06a36a6ca5817ba22cc

SHA256
2fe456ff9c573ea0dd012bce9abc6df0309497e125bca35d2f3e6d4c4797ea7d

SHA512
5f0c54efa753252474c8f264888d4990c06459ad8ad5a7031f3c21c1a54fe5bed79dc94ad63bc3a48536fd1f5e34c9eb4fef682ba11e927a0b0a1639c67ea223

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\208c2a460200f3ca6a083ed6e349c09e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
3b8a77b98dd93a5330e1174074c073e8

SHA1
3c88bec84df1cf6c5919a719a1412774021fa2df

SHA256
ca4c348dd65818914e505fe84a942508b2d641beb245bcdb5efa72ce8fd049f6

SHA512
5a2f8d8822f685e116643579ce31a387bb6dfec75437af14efa4b28a59b199888d4eeb28768b35bd2b39f5aa0adedbbbca41a579db58e08140d15c1bbf78a689

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\77da1f5dafd3c14fa681a205cc5c009e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
e54d2a1751ec543d1cbc54014f217971

SHA1
d7b6f19fabf1e30da6e6b89e49bd132f2756cf22

SHA256
d4ffb85689cab6997a6c03c91d625c493beb3bae77e7a33a7074e978005a1470

SHA512
57047d6dae6b1953fe33a6a8588a5db75db608d5247adb04d59651d4793ba0d4d967f0483e7afb5c97a968d4e7378d0c53eb0a3830c4230302e54f6c6b74f103

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f3290bdbd16368768f949e72a75354c0\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
7f41dba3dc61b1f86de2d629977f0f4d

SHA1
94ebe60d83888de561866cd830f3e19c7416efaf

SHA256
a91ae31cd5136cb1f2a8bc174357da6cf567edef20951a81e5ad4b1543a6e672

SHA512
705f5317d409b6105a88d35e830020b82651fbc1aa8da6e84a683cfeddf051326dca3a5789abb2d6ec5fa2ab6eb3b16fcbe56488c99a937217edc7c9d19c8e9e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
c859dfabbd99db8db1191966cbb2a086

SHA1
72d260e7afe7df04586c6f9ebe505b36c7ce0dbb

SHA256
c607fada9698ea1fda06feeb6fc27288cfbddfad43d49fecef3d42b2b2d8e337

SHA512
18b8f2a6b4c3a81e8dc77d2389fd32368d5ef9bf248ddc9b207aa606cdad87a8627b7bee9c282cf7de7aa1f3e6e36b1595f43e1c4b49b100d92a9e77e4caed6a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
8b1f721abd5508c06279636e1c073c26

SHA1
b422b817af28eed88a2066e59454caf70c1d73ef

SHA256
ea09bec675fd5a817d443c53465fb03277479ef9aac983994531ad4780fe4fae

SHA512
1bb323ec99c4504e65f28ac55caa6564bb16136f68ebe74ba437b4816b1f1461a0d0619f7a51b53b1eef8f35ad6624f6965f3b2c045515d38899c69918c08ee6

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
9dbfada09de584d4c8249c753b842762

SHA1
e52b9a2af6e5fb3fbf297a604549d94486132d66

SHA256
7f689e2cab9a2ab9e656037a98ef1f3a701f4c478b383a40c7ab068f5fc910f7

SHA512
4b0b60e89936065c3f64eab7045e7668377e5b3053367ac97dc640ca5adbf8603760bbd5a985c322f2be8b32a63a0832c81c2ea39ba5d6d7719abd5f8627483d

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d1b54c84ece38139af0f2f2b87d7d095

SHA1
0fe545b07b3c11e8a3e9390068e71d180fdc9232

SHA256
571a9a8532f4acfb58e66091506d5ad283907e1dd7c1e9f382dfe603f65ce3b0

SHA512
58cf020988d0dc3bc95ee37c1f6e6252b16b6299098b21a044c8093f8e9483f352e4b99561c10ba1bbfe2c3f3a13bc71639c322cd86c0a75cac345bb5272ecea

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
31de0f933ec56f8dfe7dfd842c74c2d2

SHA1
f68d2b7eb1069aa7939844627a003e98f9574a5f

SHA256
b33aaaf16aa3b23bc2c303652406fe221cec2fb6d43fccfdcf9df9d42ec4265d

SHA512
f298f85527b920b38e2283192c1c8c54957a92892e2cdcdc7f7a5143019fe4e7267e36062c86667b302eb989c0ab6a20cc557d9076cd0ddda1c3fda09d7493a4

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dd076beefae50755f278e4037f622989

SHA1
39696f907c481263037edd03a9e341a7a5395dcb

SHA256
7b068ed3d56f0899782f88b9ac305c849462690be9a1f2441e4e1b2cb6f8d91b

SHA512
557f937f6d05717e8c738463ee63568f2f0056454ad1e9fc78e97c8914a70a76b9f859c6adeee30e222e18c49bc441bb0cd0fbb3347499239f42734cae3b0c96

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
07c37af45a04eb224475b220f7317f00

SHA1
5cdf1e69ae5a032882fa5f495c35694e54548a87

SHA256
88f5d4ecef1e55326732dcd51cf6cd6141e67962faedb48ecad78ec6801296d3

SHA512
1cb37ccf6fed1bec945bc176faf1bd7ff812fe8943a80939404c71c091674a0a59e49805fe3b59675077a5ccd2a98b8b9e4874f4bef6b62b63c9a20f055305b3

Download Submit
memory/320-584-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/320-887-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/612-917-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/612-929-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/676-1093-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/676-1102-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/860-507-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/860-861-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/880-922-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/936-992-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/936-670-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/948-1178-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/948-1172-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/960-993-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1016-1115-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1088-654-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1088-985-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1120-1145-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1356-987-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1356-996-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1468-408-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1472-91-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1472-92-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1472-271-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1472-98-0x00000000002F0000-0x0000000000350000-memory.dmp

Filesize
384KB

Download
memory/1584-1081-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1672-585-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1672-857-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1724-1055-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1800-1152-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1804-940-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1804-967-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1996-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1996-90-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1996-9-0x0000000001E20000-0x0000000001E86000-memory.dmp

Filesize
408KB

Download
memory/1996-2-0x0000000001E20000-0x0000000001E86000-memory.dmp

Filesize
408KB

Download
memory/2020-337-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2020-1191-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2020-457-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2088-415-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2088-152-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2088-148-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2088-142-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2092-263-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2092-255-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2092-431-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2092-257-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2112-394-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2112-411-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2176-1056-0x0000000003C70000-0x0000000003D2A000-memory.dmp

Filesize
744KB

Download
memory/2176-1067-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2176-1052-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2196-946-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2200-581-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2200-919-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2280-1127-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2280-1116-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2296-305-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2296-452-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2308-569-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2308-582-0x0000000000600000-0x0000000000749000-memory.dmp

Filesize
1.3MB

Download
memory/2308-433-0x0000000000600000-0x0000000000749000-memory.dmp

Filesize
1.3MB

Download
memory/2308-417-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2396-1028-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2400-1137-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2408-869-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2408-855-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2452-76-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2452-77-0x0000000000950000-0x00000000009B6000-memory.dmp

Filesize
408KB

Download
memory/2452-82-0x0000000000950000-0x00000000009B6000-memory.dmp

Filesize
408KB

Download
memory/2452-187-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-496-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2504-364-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2560-480-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2560-760-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/2592-497-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2632-1175-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2632-1163-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2660-1076-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2660-1085-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2692-66-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2692-286-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2692-58-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2692-46-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2700-546-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2700-437-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2724-669-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2724-459-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2740-557-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2740-916-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2756-963-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/2756-592-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/2844-71-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2844-70-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2844-328-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2912-287-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2912-1188-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2912-436-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2928-455-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2928-653-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2936-109-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2936-32-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2936-34-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2936-25-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2948-1034-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2980-111-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2980-110-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2980-116-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/2980-384-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download