b7718f6dca81677dfa83660651293fdd412b93e24535c18e08f0c1760914bdbd

Analysis

max time kernel
17s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7718f6dca81677dfa83660651293fdd412b93e24535c18e08f0c1760914bdbd.exe
Size

1.8MB
MD5

50812c4a5e80fd2eab4f51f8743fbb7b
SHA1

1880554c113052f396fc71b68f8990a1b6e66031
SHA256

b7718f6dca81677dfa83660651293fdd412b93e24535c18e08f0c1760914bdbd
SHA512

b6d7bfdfa620d45bafd1b902703d9bab37df6c7fff99f85bc8c460ab9c88af47b10aaa12f568aed621972d3612a0cf3ea6a70f6bfee3bbdaac95ccb4f0585544
SSDEEP

49152:yKJ0WR7AFPyyiSruXKpk3WFDL9zxnSqCks7R9L58UqFJjskU:yKlBAFPydSS6W6X9lntC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 33 IoCs

pid	Process
480	Process not Found
2420	alg.exe
2144	aspnet_state.exe
2192	mscorsvw.exe
1324	mscorsvw.exe
1876	mscorsvw.exe
1524	mscorsvw.exe
2016	ehRecvr.exe
1320	ehsched.exe
3052	elevation_service.exe
2056	GROOVE.EXE
2608	maintenanceservice.exe
2616	OSE.EXE
2956	OSPPSVC.EXE
784	mscorsvw.exe
2252	mscorsvw.exe
1484	mscorsvw.exe
1444	mscorsvw.exe
2460	mscorsvw.exe
2452	mscorsvw.exe
2536	mscorsvw.exe
2244	mscorsvw.exe
3068	mscorsvw.exe
2652	mscorsvw.exe
2012	mscorsvw.exe
2908	mscorsvw.exe
1828	mscorsvw.exe
868	mscorsvw.exe
2360	mscorsvw.exe
2408	mscorsvw.exe
2496	mscorsvw.exe
2476	mscorsvw.exe
2436	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\319d92e323b6587.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_ca.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_vi.dll	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_te.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\psmachine_64.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_de.dll	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_en.dll	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_sl.dll	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\psuser.dll	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\psmachine.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_ta.dll	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_fr.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\goopdateres_uk.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9FF.tmp\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2692	ehRec.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2244	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: 33	2924	EhTray.exe
Token: SeIncBasePriorityPrivilege	2924	EhTray.exe
Token: SeDebugPrivilege	2692	ehRec.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeShutdownPrivilege	1876	mscorsvw.exe
Token: 33	2924	EhTray.exe
Token: SeIncBasePriorityPrivilege	2924	EhTray.exe
Token: SeShutdownPrivilege	1524	mscorsvw.exe
Token: SeDebugPrivilege	2420	alg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 784	1524	mscorsvw.exe	40
PID 1524 wrote to memory of 784	1524	mscorsvw.exe	40
PID 1524 wrote to memory of 784	1524	mscorsvw.exe	40
PID 1524 wrote to memory of 2252	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 2252	1524	mscorsvw.exe	43
PID 1524 wrote to memory of 2252	1524	mscorsvw.exe	43
PID 1876 wrote to memory of 1484	1876	mscorsvw.exe	45
PID 1876 wrote to memory of 1484	1876	mscorsvw.exe	45
PID 1876 wrote to memory of 1484	1876	mscorsvw.exe	45
PID 1876 wrote to memory of 1484	1876	mscorsvw.exe	45
PID 1876 wrote to memory of 1444	1876	mscorsvw.exe	46
PID 1876 wrote to memory of 1444	1876	mscorsvw.exe	46
PID 1876 wrote to memory of 1444	1876	mscorsvw.exe	46
PID 1876 wrote to memory of 1444	1876	mscorsvw.exe	46
PID 1876 wrote to memory of 2460	1876	mscorsvw.exe	47
PID 1876 wrote to memory of 2460	1876	mscorsvw.exe	47
PID 1876 wrote to memory of 2460	1876	mscorsvw.exe	47
PID 1876 wrote to memory of 2460	1876	mscorsvw.exe	47
PID 1876 wrote to memory of 2452	1876	mscorsvw.exe	48
PID 1876 wrote to memory of 2452	1876	mscorsvw.exe	48
PID 1876 wrote to memory of 2452	1876	mscorsvw.exe	48
PID 1876 wrote to memory of 2452	1876	mscorsvw.exe	48
PID 1876 wrote to memory of 2536	1876	mscorsvw.exe	49
PID 1876 wrote to memory of 2536	1876	mscorsvw.exe	49
PID 1876 wrote to memory of 2536	1876	mscorsvw.exe	49
PID 1876 wrote to memory of 2536	1876	mscorsvw.exe	49
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	50
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	50
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	50
PID 1876 wrote to memory of 2244	1876	mscorsvw.exe	50
PID 1876 wrote to memory of 3068	1876	mscorsvw.exe	51
PID 1876 wrote to memory of 3068	1876	mscorsvw.exe	51
PID 1876 wrote to memory of 3068	1876	mscorsvw.exe	51
PID 1876 wrote to memory of 3068	1876	mscorsvw.exe	51
PID 1876 wrote to memory of 2652	1876	mscorsvw.exe	52
PID 1876 wrote to memory of 2652	1876	mscorsvw.exe	52
PID 1876 wrote to memory of 2652	1876	mscorsvw.exe	52
PID 1876 wrote to memory of 2652	1876	mscorsvw.exe	52
PID 1876 wrote to memory of 2012	1876	mscorsvw.exe	53
PID 1876 wrote to memory of 2012	1876	mscorsvw.exe	53
PID 1876 wrote to memory of 2012	1876	mscorsvw.exe	53
PID 1876 wrote to memory of 2012	1876	mscorsvw.exe	53
PID 1876 wrote to memory of 2908	1876	mscorsvw.exe	54
PID 1876 wrote to memory of 2908	1876	mscorsvw.exe	54
PID 1876 wrote to memory of 2908	1876	mscorsvw.exe	54
PID 1876 wrote to memory of 2908	1876	mscorsvw.exe	54
PID 1876 wrote to memory of 1828	1876	mscorsvw.exe	55
PID 1876 wrote to memory of 1828	1876	mscorsvw.exe	55
PID 1876 wrote to memory of 1828	1876	mscorsvw.exe	55
PID 1876 wrote to memory of 1828	1876	mscorsvw.exe	55
PID 1876 wrote to memory of 868	1876	mscorsvw.exe	66
PID 1876 wrote to memory of 868	1876	mscorsvw.exe	66
PID 1876 wrote to memory of 868	1876	mscorsvw.exe	66
PID 1876 wrote to memory of 868	1876	mscorsvw.exe	66
PID 1876 wrote to memory of 2360	1876	mscorsvw.exe	67
PID 1876 wrote to memory of 2360	1876	mscorsvw.exe	67
PID 1876 wrote to memory of 2360	1876	mscorsvw.exe	67
PID 1876 wrote to memory of 2360	1876	mscorsvw.exe	67
PID 1876 wrote to memory of 2408	1876	mscorsvw.exe	58
PID 1876 wrote to memory of 2408	1876	mscorsvw.exe	58
PID 1876 wrote to memory of 2408	1876	mscorsvw.exe	58
PID 1876 wrote to memory of 2408	1876	mscorsvw.exe	58
PID 1876 wrote to memory of 2496	1876	mscorsvw.exe	59
PID 1876 wrote to memory of 2496	1876	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b7718f6dca81677dfa83660651293fdd412b93e24535c18e08f0c1760914bdbd.exe
"C:\Users\Admin\AppData\Local\Temp\b7718f6dca81677dfa83660651293fdd412b93e24535c18e08f0c1760914bdbd.exe"
1⤵
PID:2244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2192

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 204 -NGENProcess 1e4 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 258 -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 204 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 24c -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 204 -NGENProcess 268 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 22c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 27c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 26c -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 264 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 208 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 264 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 298 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 264 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 27c -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b0 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b0 -NGENProcess 2b8 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b8 -NGENProcess 294 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b4 -NGENProcess 238 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 2c4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 2c0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:1852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c8 -NGENProcess 2cc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 264 -NGENProcess 2d0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 2d4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 238 -NGENProcess 2d4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 290 -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2e4 -NGENProcess 2c0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 264 -NGENProcess 2ec -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2e0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2c0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f0 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2fc -NGENProcess 2ec -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 308 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2e0 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f0 -NGENProcess 310 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f0 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 308 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 31c -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 320 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 324 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 32c -NGENProcess 324 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 30c -NGENProcess 2e0 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 330 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 33c -NGENProcess 2e0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 108 -NGENProcess 344 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 344 -NGENProcess 324 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2e0 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 32c -NGENProcess 300 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 104 -NGENProcess 108 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 324 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 350 -NGENProcess 32c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 324 -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 360 -NGENProcess 354 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 108 -NGENProcess 344 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 358 -NGENProcess 354 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 36c -NGENProcess 360 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 108 -NGENProcess 370 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 374 -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 300 -NGENProcess 374 -Pipe 104 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 370 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 324 -NGENProcess 190 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 380 -NGENProcess 378 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 380 -NGENProcess 324 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 300 -NGENProcess 3ec -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 3e0 -NGENProcess 324 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 388 -NGENProcess 3f4 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 3f8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 380 -NGENProcess 3f4 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 33c -NGENProcess 404 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 388 -NGENProcess 408 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3f4 -NGENProcess 40c -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 404 -NGENProcess 410 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 414 -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3e8 -NGENProcess 41c -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 388 -NGENProcess 420 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 388 -NGENProcess 380 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 408 -NGENProcess 33c -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 420 -NGENProcess 428 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 380 -NGENProcess 42c -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 33c -NGENProcess 430 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 424 -NGENProcess 42c -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 438 -NGENProcess 3f0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 33c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 440 -NGENProcess 408 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 438 -NGENProcess 444 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 33c -NGENProcess 448 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 408 -NGENProcess 44c -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 44c -NGENProcess 444 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 428 -NGENProcess 454 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 33c -NGENProcess 458 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 444 -NGENProcess 45c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 454 -NGENProcess 460 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 43c -NGENProcess 45c -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 438 -NGENProcess 468 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 444 -NGENProcess 46c -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 45c -NGENProcess 470 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 24c -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 238 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1ec -NGENProcess 244 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 23c -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 238 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 238 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 284 -NGENProcess 274 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 23c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2a4 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1324

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2056

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
359KB

MD5
47c7fb982e7d615bffb0dbdce6c7c673

SHA1
82c16b1c3388aa58f867ef2b6f7bcc69785a6ae9

SHA256
a37e4f822496e0b7de64a35a0643271d5c9c0e7f075fd69ff2a455e9eb111cf3

SHA512
8817d989fe02129a77f57918d0731a9356a624397dc310c8847170e8f6cefd56ca5095b9c160b9a4d485d77786b6488275393c83b71eb0db7bc54074038788b5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
464KB

MD5
595dfb9535b4baee99fb980e1e594a4a

SHA1
1387d6aaf5b7d1ae1a4f6c6cc4e85d9c03d5ea48

SHA256
e68aa3a4b8ee5076b38426cec58e401ab2bdd7bb94948fa7a2636967e70b644e

SHA512
994da6f48aeab7ed1c38c03115c27f8ebedc08dde701329c7c5f0c27147da85462ce1e428be61c949177908f673f646b73ce55e20f8fbbe2dcaf847eeca446fe

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
281KB

MD5
df65c0d6a2062d062dedae1a8114e409

SHA1
e560be3dca81d1589275e2fb21f8eaa10861984c

SHA256
b330da021b9f060be03b3373ae2d0d30fa33f4f6742c591f81d1ab0e9a8a7175

SHA512
2a6d757721d45642bcc70b91dce7aa86c3f8e407fdb5ff4f2d8a50f7aeedf9ccd00bdca76cd50e51b5664ebe9022aaa4a82a785337d6da62119107da0fa8075a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
245KB

MD5
099d816ce7d8cf7ee5002366fa5a92e9

SHA1
0508dbcf213981324b32538eaf8da7ff8beed35f

SHA256
fda042e97bad1e4251704a71c1c9bf24051c636dad323393ee34835bcfe86b75

SHA512
be8abe08298dd8d540dd8aa98c1ce86788a192aad183dd27ce242fbe4f4b7f71e47bc1f0786e17955e0b50b59a4aebb7b6ec447575d532eedac0a577d3f9a381

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
126KB

MD5
c6086a85a3b8152bd948126e164f6645

SHA1
a4faa98216f4a34d5a6dd889d34a73d270db561f

SHA256
e45ca221ec78ee8a3f60ffac497ca280bff09a32b1e2ad6d9f5f1e364e5bdad5

SHA512
2cd0eee8c743c12ffd77fc19de7f29248211e4b1d614814efc27344b36968585609283407f8448b7482af910a3d7e89f0a55ec8e1ce51685d1fac82cafa46dfc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
24KB

MD5
8722c21a09dff93761820fd2687897b6

SHA1
70ab9e635f15779995fb9b82f6bd096043e7238d

SHA256
39ba6688cc9a4a4c8ccfdb9f6de8a2c358ef4ab91eb1c452a86ef75b12b73a74

SHA512
e8e44d5dd85a35622d521dd8cf4e533e8d745f7dbc9f3da5eb4ead4c4917a78ae0d5d2b231c6684631bb4cea8bc51de1cdb9352b0544462c3a61dfe5cc84f58a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
168KB

MD5
4c486afe14b084fbd507bcdd25d242fc

SHA1
0f4e69150c88938dac7c78cdcbf3a2157ef8ce70

SHA256
10fcfbd01b2bbedc4c0c17c3cc6e216f1322ff80dbbe865da7a29eb6785cc490

SHA512
f52426324cce03eef06b34ca993add8b5b4285ff757616814c2427ec08d10d05e20a9102d8597adfd3c44c63ff0cc8f5416b8b9fac3615194f67a4891a217f35

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
324KB

MD5
f0caac21af630dea257c8ee60185adcc

SHA1
deb25e456e6cdc7e19bf628bf79c0a76f275f58b

SHA256
7532964b6a61358a4cda0aacb2e6be3a3b68fb5d699683a7d8b251aff0c777a8

SHA512
5e3e48d487002c109b164cbe9a7c9120109dabc671e8fbea58461a01dacdc3acc4dd58c06fc0be422eefe900646c591ec28b767b793bc208a595065cbc29adfc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
236KB

MD5
630c4e6b661662e61610620d8f8b0ec7

SHA1
cf56c575a31bbe36a038497af84efbd5741b4235

SHA256
736d7d19fd07d8a0cb7de22825fec819b53f739a1505e0b662763a9697f2c73a

SHA512
9e40fa1ab40e1222606b96edda672bf9cddf1d643478a07ec70aa56ec02a824272f3ed41c6081158f3a034cb7f8d08589f3e4638463e581b6c28efd5fd083b90

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
263KB

MD5
adf2c19a77770770857ba0de9205fe4b

SHA1
a9082053550570d621f4c4eade306e8cae46b1f1

SHA256
118491c69e50217a26149c1f3f5f15484fe28093f55e392b39930c5c24ad831c

SHA512
ce406d2f357604adc42c326e0a6804f71987da1e03b7b8c7a79958ce43621c99ad9b38fc04bf2eb9001ddf823957eeb105f4a57c6c089f1c85fc00365121fcd3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
175KB

MD5
5bfa7166be886eabe86b84de83eb0de1

SHA1
a1cac278cd1fc5d1422c65d110e32ea5492fdc11

SHA256
a802717a2a172dfef203aa0d912493a65ccdf3822eb5f6447caded4a8da58b79

SHA512
aea6af41325f837c5962af68b8c3dca42211bd6552d65cd583b91df45af2218ee9d05a3b890a748a3489437cca6c44f91f065d00646509a7bee81a7f2bb5dcec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
151KB

MD5
09ba1e7dba66650abc596c4a01e32c6b

SHA1
85bf897220feb95bb01a8c976b7002889db486d4

SHA256
0177e4d3f2827a0bdb25eea9eb7bc101722e6809c51a7716c6ca3ea8191b7a6c

SHA512
90ecea4b5a2d7942e2c9ccfdca97cd99dce2b0aff5595771e0da7cf3af4718224f17395458977b0ea5c0c5d2380d7e99eb10d5d0ab6b36f379672d90f58122af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
78KB

MD5
9c0465f6555b708458b9d7cf9807dce9

SHA1
911b014b10f1105f40c92e309cbed7b003d8517d

SHA256
887cd38396c594d391bdc9390069e98be49067084e3d611d4871e2a7b66c3672

SHA512
f194108cae6c6c713836af548afc7e2e54c462ace6ec63065664db2ff91c603824c2d090f2596a265a20e5370c2f0480ea3a58b5aefbae5fb36cbf2dcc6fa521

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
168KB

MD5
8344ae9760cdd6acbe0228f178f666a6

SHA1
ad943f5916a2cece1331108eab03bdf66e2644df

SHA256
ef96240c341efa055b672b6c5672b12e6c9d39a0e436b7f0db3e7f66bccdcc18

SHA512
7224a489ccd71346d08acbeb4369f4db814714460f767d2e5ec9e15b3604ce38208f2b7d5045f7df68f8b636b9202164d360a7a886e9e26d209a4edb2c1fecdf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
119KB

MD5
4d482fbe9f3a90b3fe584dee8c64aa8c

SHA1
d9535907d7a80d6383bc801ce216428f3b2e1d9f

SHA256
37777aac0f1f4a62fdd67cfa92ffc8da57e6bb0e6a1ca0fff880595452dd07ec

SHA512
d227f2f916db48e887920dc15cff3a1de4ab060e6487a28f9d2f5b613f9b81304fa696ab077b599d9d383b1e0c281d4844e71dd998c5fe27472aeaa65657ddd2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
279KB

MD5
417cf9a95ee58fdc4697976fc7f1748c

SHA1
f5a0ee68fd9f44e60c161b168fab55cdc508c9d1

SHA256
12a1e7ca2d02c04b81f54ff71974200c0d9ef2767c936da51ef5412e2b708fb9

SHA512
0766d5a31e79b30faf3c5be92dcd588846baf1a3963589eb1249a9022b5fd33370c96d8bb5d99cdddcabd8c7bf538e8367185e591df4f277d7607626e040ee7e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
251KB

MD5
9573144c1a53876c08ec4be3fcfecc57

SHA1
66bc587b28ffc14e0e921e06c677a93fb49996fb

SHA256
66d995f3b5efcdb1a4d9cd17307ef801ce9a1af7bafc64f0a643b80a7b2a3a6e

SHA512
ffaf6fcbdb078225c534615da4c21298e8ede1e0d555f38bacf44bb61672fdc2e925cfd929d68c58b787a74d7e37fcdfe647d68f3935d87c349bf85a98309b4f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
23KB

MD5
d7ae32bddfe047b62a839d6d16291349

SHA1
634f5f3966ae2958ec99f8397f635080dd511db0

SHA256
abebfdface09cfc5565a2f4a94087c0b6a8a02117bf3bbe7285353b2590e373f

SHA512
e545c81614aefc2757814279d27334377537d35dc9dae917f790c6e1ef42428d271dfd9496041fbba9573f8672473c9d3ce5d553630aa68ce8439142cbd09116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
112KB

MD5
9882e093aa9d60f68897bf539995c8d4

SHA1
1ad4f0a69c513fcf2c6ed1ef386f687f688aa9bc

SHA256
14f0c2baf39e508079bee0b87ca2c21b26a10b30100559fb429a375add6e4793

SHA512
2aba5540cb96a8ceeac5b7b94360b8150c32661ff7c999dbbd402c4a15352dd0fc9692d9aaa1c69b693dd71ec1d2ff8e346308e993af9cb242feef6b24315fac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
24KB

MD5
6f9e1195c3c6d3a7d42e900c4d3628fa

SHA1
54c0d005f181eb3d2933f28506c6284479ee9c9d

SHA256
fb6d17e16765181f2374cca581a98dd175ee407d41ce531afbcc7f31f16a7946

SHA512
15ce20323bd688fdc4c7dd417eee739bdcbd45a6d291143c4cf554aa4489601aac4489d3a2d2952873bb5c9e89895b86297e0bd97020596afc2666751414d49c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
231KB

MD5
e85b1a00d0bd68531d06c7daa9f34f10

SHA1
124c9c5d93268aea578a90544ee8598a98cf0b2d

SHA256
2581df33b7bcccba9089dc3912eb89ad6c5182b955c6c58cdcefbf84c4e6160a

SHA512
e6e2eed55c50280f825c2d1e5dac8c2d8729b1bee9de571a0ffe1198f488cce8ed40dc08db1c5e012abe08e4b75692a711c4089017e6476a987269683a825eac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
128KB

MD5
03dd763a02c52a9d0ef3072c1e2cf0b1

SHA1
664267253ab17c0c7627b9ff086db07818fe7b0d

SHA256
150431e74d8cda327a88c7cbc3e1a18af0027dabb64fc0e32931964c71988a26

SHA512
551c1bdf477de452d7bf07ddc94d4d6756819ddb8d84b1656f05027368dec938c048c94560d68e3d0900ee67327823767ed29418507bf00584e271eb251658a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
33KB

MD5
eab432f4bd731400dfd9ae2a6bd9a346

SHA1
87dcea8d9598aac423ff4ef31a6c4d1cbb0afed6

SHA256
403bdd4f3486d379034fb6eb403038593d4a281fa9395fdfb46c1302c11b4c3b

SHA512
3f851c0eeb16f0c8c19f61699fb68ccdf0c766c79662eebaba16cb12ab5bd909047487b4a37584dd182f0717ebd9ccf14321dd94a8f527b803610fbf87c77118

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
189KB

MD5
d8eb199ae66d5c19b0e151cc58be3833

SHA1
b2c752cfee266462f82ebfa8538d5a1c71e9abe0

SHA256
04bee76d6644359dde1dd7fe65cf396fdfb6d78619afe9ba95eb04cc4cf0be2c

SHA512
9fafeddcb0336da9c7818607f0c235bd7166fae974126dc071caf8488c35e1e0a30bf87254de0c9a8a891364fc4728b072cb0eb9ac73226b15df00220858bf80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
69KB

MD5
65ff0b2e763e5d6f459616afd51dc080

SHA1
dce36331106debff20da8ecfd8189299d9306b9b

SHA256
4856f4834649837a0eeb858310798fbb92243cd592389e8cf2f5c8c8d04e1bfc

SHA512
d9993db285cea61f6176c89cd05fcbc64fade38c5c7ef1ef2f6daea4b5607ecd3074133a0c85d207e8ac16ebb2bab42cf0db48406cf9a6b9ec971d53c40782d7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
8KB

MD5
d842d610832f7c04f813d4756a4ad2cf

SHA1
7eeefee095db92c8c585dc2fcb7b38dbdd448057

SHA256
244ce0ce146775a57706d132c7378614b96b189337d696ecd59656aeefe1b6ab

SHA512
c0a8bb7ee84a431a1647c38c5a1e8d6b68ef2d9c5746261d90da78f40c1e91c4bc9a39b9aa079a0b76bd6030fac6b14c50dd0f2f9c9f49cf5474cd4ce464eb13

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
d0bacca096784ad714124ed9126eeb04

SHA1
629d23ce33a012e5be09d2cf9930a9bf7d26e9a3

SHA256
558011191258e99e5284bfd99e16e8f9de38ffaf939bfae42d14d96682dfd7cf

SHA512
2f38220fed400d9b49050396ce6c1c4ede8524d97cf4cbbcf7c0ea1a8aa020c794dc629d5a4e0e7ac8b080d0d1b6684775b1ba50f08055d2049fbe34a3cdd10f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
163KB

MD5
bc0081cd81b4db019613ae63ce39b8d8

SHA1
f94cf787e6be3ecb968d7425f296eb8e749784e7

SHA256
7aae8e78b01831b3cb2ba68c63edf36bafabe3d80da5367f628b439e44d2abe0

SHA512
3f29a392059e55bbfb1c5fe2b4098f831f1cd118ea79d75a31542be7dda05cdb12dad3f37e4051491844989a5a02985e4f184bdd0ccb5cdd8c4714a2428e2893

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
110KB

MD5
ac565b7e29edef64e43002147a7d9669

SHA1
c93f37eda5e189ce6527b8dc854bc1c33aa10720

SHA256
3cce39396c485cdc7eb042d72d15d4d5f739d41204f22d8db1a08d6ea2192fb6

SHA512
a814bb1a626c8610d8fe0d34cb05f018d9d7f43f1bce3f3d04f8e6e19b45874d198db1f5c19ee12c9f14719079192ea2534df36f1d8f375d45dbe667eb22e929

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
36KB

MD5
09459e1f7ae334c9ee8f565502717356

SHA1
b7baac542db85702f7d304fe9d79dc085f25aaab

SHA256
006830fb440028e086b3e21d5f8f35ad1599bea1c195c4b13fb3fbdb7d2a4b9d

SHA512
7e998e8c5f01682befc9fdd2334bf4296c311701256b44708b4e8e7b65c50bbf9301ffea7102fbbff16e65cf2563eb2fca2312bec69b5c9bf131b0f02fe45570

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
166KB

MD5
14201b026096181f6cae11787daf4310

SHA1
692c35cde66185749744f8a80375ecf41d9887da

SHA256
861318f112af58d163952d0dddb1581f8a6b2f3de1510d7f3c8ecd666215245f

SHA512
008a548d4202b491a2bb9c67bcaf42ec2176bc07ae5f0e676e401a91d576ffc4fb86f006185dee193c17878c5b3d35770095f9f08cdea3be8371cba535959695

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
162KB

MD5
ed88ac263e622a9863330195e909bab3

SHA1
2ea1923a8a3fd72a637f3404a7734d17f2763e33

SHA256
d7716413f3c38f396a06691c0c87dff611655713425e80129dcd333a37149447

SHA512
fc88c03b62986416625e3a5208deca468ee9b516e13c8a5b9e12157ba894069eccfb18f907f22073a7d8bb2cf107c022df8ed12c60351d0a51a1467bd2e9771c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
80KB

MD5
714aceb1ffd8db281d838a3001bcdbb0

SHA1
b6ffe66a4039af399f6e5b0491e2070bdfe28ab3

SHA256
e361fba68f618c4cbfa9b0622c925b79dfb36b662b5daf326f12bbac42891024

SHA512
d209b0892ccdca134bfa49756ac69023b270bc19eb88f262ffb8af183683b86b620fcb1de8eee13218e7fe36a2e060e4e098c83fb277a9afcfbd88c376c17a80

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
160KB

MD5
e8d4f6013743362c74abd8015938f5a2

SHA1
deb0fd588ca87c2e52098be6ebde54c03e25e5d7

SHA256
78743e62ee133edcb463220160d4cf44b9aae9d9c24aa86a891ed164089a2e4b

SHA512
c5db7fce0bbb2314677311de34661be976d30730614742de69bdf549b538749d0091d711c6e09442431f4649cbb2f61e8b48e21bbbca1439be9c5d051fb74fa2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
68KB

MD5
06e86bf01f1cfe8dd4d0f2b2bf157ae0

SHA1
88dfb820b7e42f7ace030195d7d19c05e2881592

SHA256
f2b391a8e41831bd23e2946d542ddfde441ee3a8c2a703ee45f32fd4becb8b23

SHA512
364551f46026032fb266877f3b345e20cea33046b1bf6e4d73ab417d1689a11a09c4d308638f756be46648885bea31d963703a1e484a4312b950b096439b4a22

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
49KB

MD5
a0c39817e21704fc19cb8b4c064abd13

SHA1
473c23228ed733645c9252f5a2dcccfb14fc3929

SHA256
a1ef80bf7722ff5c47a5394847dfda0c528cec40f930243fdeab7eaa513f3886

SHA512
d23d83fca82db771fade07fba5838f686f75d301d79e62bcfb5be0c55873673747e9feff371ad37ea67f9e89cb30e581a0654384d3c6da3645790574e74ba7ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
84KB

MD5
e5263531237239c9fab8cc2624c89563

SHA1
c913de5ee5a9c8051ba39b2a25c0244711cb53d0

SHA256
b315639b6150e3fe4a58ae166cc67b2d6655142e2580c512d7c930ec301caa4f

SHA512
418ac3d590478ff356e17d510fc36e84653e21e2efc9e759bd0a4ee33c017be6e75d3b4d5d86c384c41feb44cbf6840276e3ac50e1f70e79e9bde3cffcb722d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
81KB

MD5
add0a5529b4830cb79a82114cc2954a6

SHA1
9373f6bf1cfec1b907b9a7ed42226620da0e42c1

SHA256
68db900a021e09720ac2b3e7a3ca2bf83d6f3fb346a407a00c65909949660818

SHA512
1ab698bb149f93ef75230bda6ef06e65a7a05954f2f6a56f1f606cd27b765f5b976c7f1b8c7068870e16fe9d939dd95e8801005d06ff10f2ab4ede2e985356e8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
63KB

MD5
7c991364213ee14bcb01e8213c4641ef

SHA1
804ca511cf430e04aa479aaac97f31817c56ee5b

SHA256
a7bd174faca222cc205cdbc73c94439831fb8f9da4627d54ca897f91f1408937

SHA512
31f90835553adc82d1ad2fb159ac90db03441dcd052fd498e5ab72e814f5fc2db114bbed9f3f4c0f7bc135d5198258d4ba908a04f85557e1a14ddb0d247c0220

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
36KB

MD5
cd0891c55b531c7f96565bc1b093c1c4

SHA1
d3bffb5aeb7f5c60db409cb77fcd4b29a310b275

SHA256
989fa5ddb53256416e9ebf5c611c3e2c284515fa5798e6f0522e2b07e9d27e9b

SHA512
6b0937acfb4b73e3424747bf6f8646ec1e0d58058205ab45166611073723801fb6c8da153a84438c620b1cdc4a3d69adefea05c2569fa4bf0181d1e120a44bd7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
100KB

MD5
1b866e975413d630619eb58c57223890

SHA1
b792935c7a5e933f82b9404387eacb5ef04150e0

SHA256
b5fb598988ab0b2249734353f2ee182a9adf5b89aa6439fc1ef67f66136d4399

SHA512
fcd1212792f553933f673deeee2fdf9d3eda8ad3065ad6f7090dea3299c878523d91d1e1f1c8f5545fb4a13a23bd8786f924c1cd01827a7bc9dd30c05228c67b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
130KB

MD5
d12c95efcc274dd4404bcf60fc7c9d2e

SHA1
91d6b2aee6add282218bc1345fc3a7651d12ea19

SHA256
49705e6cb49bc80b4aeb82c7d6da7a969b81d209769123edfff9d61d9fc2f5eb

SHA512
faca8885e3a6356f417ab2bf7eeae0a805e5a57db78fc56bf0dd5a9d2efc41fd2b09829a6e180867daf37f13be752af033ba6e22e8649ac3ef45e0125398982d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
06d994e370c39700ec0d549d39c18a3c

SHA1
e1662da4ce6c93d95eb889f4db86344c2be6fcc7

SHA256
3ecc2b84a7ceabf9cda75f2ccd8075fdee7ce133f1fc3a745572eec3e63e7dd0

SHA512
6f8314fa2506b758c12e4897ff9894ce73d0aa0c5342bd2787a0a661f6ebc6d2d35537df422951eb1996fe8f67f3f6e7cd108759ff18b2545e85e6d7b10e570f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
4KB

MD5
855d3be3db774be72c0de178f946afaf

SHA1
b08eed14a7010ec49044a8caf19ce233966d25c6

SHA256
57558acb958cfb21a54922c5d7147b6ea4452088ff92d9a658de6e41fb24064b

SHA512
261acd3ddda6289a45168bf32280bab45fbe05c0edc82a01937611ad1a55cf2385e946424f8be2aea741367da6738056b19f4ae6d57cd25094d8d0f34b4b4e88

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
26KB

MD5
35eae0a3bbd3517c2ab44cda57dfd1da

SHA1
abbb04aa1dd9f515b14082433c6d974a5d6b2e86

SHA256
91096a4f2de81446e43b737d21f34c3913c59c7d0fd72f7191fbec8f04002333

SHA512
24b848de48142f5afd14d9de7b166a2286c3ce2917f041bfe2f09bd6d3d6d1285c370bacc52e146131e933dc5367118224216a921981b29b355033f8b150b6ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
56KB

MD5
3b6f5fb5d8c008d3a0f57d3842f8e4c9

SHA1
ec80622c1ad8f82e50f4b5f7f42f2a562bc9a625

SHA256
681f73692f724bb3e33d23067bf5e19bbf7b826ecf334eee3cb235f79f9ce406

SHA512
e6efb1914061d73046399ec3679ee3062b6f431a1770b24afbbb5e858df0effdc010e6a9feb95dcbdf698b44af637cbeedab69652e8b9de42eb493c34017815d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
7KB

MD5
4197f74ee93d92bef4ac8416b4c89192

SHA1
fa045b90b944c0636006ac3b14572441b9ddab24

SHA256
17865b10da5951365aa432650ac75cc2a73abe5ca85de72add84269493e63dac

SHA512
f58a16172a2218b359622cfeb40ba6b2776a39abf2ee44b3abd7e5526339a3606b344f1dfe4307cf22df161b55218b006596efcea74afcf68f7e584cc6a28f89

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
166KB

MD5
79157d5e4aedb338ec21f219d4cc0121

SHA1
3df78d4553d7668ad07563d8f9d1880d56652f13

SHA256
afbfd36ae9bfc64f87370c49de55b55cd1c9493b1cefe41e48cfc5e2d622a872

SHA512
d2a8426ead5414fe60e73f083721283c0c0cc92671f95687d7cf21cc3d5d44453269b25bea47ed49460213b8b231f00547ecfdb51847371cdbd55314c7f0e4f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
105KB

MD5
1b6cf7be612a84ba10f49d038a39a519

SHA1
414a43f7bf8fb202f66fe91dab96f8ab31c7a017

SHA256
9fd22f6d40a227952042930a4d742835bf7dacd85de7245b0d6ac9d352ede191

SHA512
f50f078e26b80915dceec0875dff51e954f0668188c17801b8b6423a769125491b52b8d583a30aae0ab265480ab695fcf26ed10cd82a2de9be7805770ae1b16a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
858fbcff0fa20ac64f7d4eacbd91309b

SHA1
f77ba509d74651b66a41e4e18f16f7f15b6e4e28

SHA256
784f4ed865cd8bcc39b22bff1ec6be21c8231d1159bf1f5010bfac0afe23cfda

SHA512
f1c92f8fe099377d0948d1ed834ec0196b12ef27fdea3a49e3f8dcfc3ada08a8c568bc5e052d870c0edc90db1ab32f58ffe2e5d7c74494e764db371d26395bd1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
55KB

MD5
f934931ba92bf1d0afabec24caa33f5d

SHA1
0d89748d3cfe285fa72c9062d84ef94c1a9362d9

SHA256
1620e7ba0df1524e1e6b6e545b0dee736aaaaab3bf597242e86235c9535cda1d

SHA512
617c4898a3c5d33e756f52c418995706b109ec56936e5fc4b20d02a8ce2c4c1136f7ee55f81c1a6e42a2e1e53109939f82880a48eeaf2b981f2ce2b5f0c8117a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
37KB

MD5
d8b1afd50f90cf9b5b9e1d07a89f5869

SHA1
e0edb2bd7878f0cb7ad15214f42bb382056d28f1

SHA256
4a25d123cfa7db7a7cca69ab4050bfa146f5c1fd588df9e774f93b0a60220398

SHA512
4021b160a2c0e59c2fe5245f36eb9942b89096df4a335e9aebab013e5ce9914490325e96eaf4c40867f94378ae86ed6e3109ecd13f9ca2acdd2288273612de20

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
16KB

MD5
afe0883a16bdf0e9b2970dfc576da502

SHA1
c73b56c34096a0719fdb45ac77c123cdaed4dd0f

SHA256
9335d353e8cf01ae44a66f535abdbe92b2158fb0a5c37c3b15afd47b74be2d00

SHA512
da6a1e4d8bf83c027bc38d2a0e60d0a5b9f5b86ee0563d8218b37ac4e8380eebc74b3187aeabffa66045cd63d56e165847043586b25cc2fee4501a49d61def24

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
17KB

MD5
d003a84f5631d0d5c24ccde0130176d9

SHA1
13a635d978fdbe18e2c1b970239878fe92823ebc

SHA256
365dd765090f2bf6367f9401c7e22f4738d874c371174225f32842a8b373f134

SHA512
c68685bde4c82c961dae687e9021a263a1956dead0559028d011f6540f011bd356f01071fcc3c6b65370ee34349bc24f02443f9104cb2d79491a78c156ec6e78

Download Submit
C:\Windows\System32\alg.exe

Filesize
307KB

MD5
7bd8b39e976d8e3aea83e974b12e032c

SHA1
ad347a7c557456d40a4d073fd08531fbccb53ef9

SHA256
776911d61e04034e832fcb06924143be18e3715520c4c535ceed46e2c6269e6c

SHA512
08ca93a828a1ae9bb2c1a7c409c4ea7b6c97b8eedeecb3667b1d620233e94bf7d1aa54395498aa2e81f0cb7836b33a22c09329bb8a83e15bf1e58444ae806ced

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
600KB

MD5
8fa0b620e7787e807c4f3677f0dce7d7

SHA1
0de35209c55ea8b0cdae342788d35c8a3149d662

SHA256
51ed1850ccd10077fa6f9243ec91f5f23d2b3ce7155086ac001d19d8ff91d79f

SHA512
a9f725a40c4f2ed1ac657a0b97808e88179e201a67cc1e4cbac1db0f4725f9a75ab232b6a8ca1fe923a05b7c35c19eb08d74cc42da6cf0a7a172174a7c3b706b

Download Submit
C:\Windows\Temp\Cab3BA9.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar3CB4.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2a79ee03cc3b02d2d691cd99392c2ae1\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
6f44b65fc199c7cc128ff78ee69dad10

SHA1
fa6923bf96de1760f931b6b83363acfb654cfbeb

SHA256
d9dbaa58a55084cf932d89ba1366f2bf6fc644e05d3d361115d65caa39a8e09e

SHA512
6b5a31ffd62423561930f71712cd262b397e660b1510867f230bd7f938a007815c9610737cf79c0a64d1cd7c61635f54cd7475e043ab156ca7666c7948497ef0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6f58f8f84878e8aaedae9fe7e7fe1906\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
5db3fd8e7512cf21efdf3b5845222fce

SHA1
6f45643277c8e259d2813f96f37e8d3ab3d82306

SHA256
169c7728a8d625ab988371e4e53a21b4984055a0b0d9c83fc57b89a3aaf7300a

SHA512
5cfaba89f2a2a1c4e0528f4431954cbf80b20ae472d0223728978089c08be2ee83cee8e191ee76f97f920f3656ae34d26021f24aea768fbc9028dca5c59563b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a0022dcd88262a732792250930ac0450\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
503066ea61314a2c6edfab66dd533031

SHA1
9624a04f56dbb0e0111b030edb83fa42fea06410

SHA256
2ac5b25582b45d7b18e891383eebc153fb1b6b4084dba371b986e02d8e0f0150

SHA512
2c5e4a2b914cf01f509f717f4938e7a20e61a79c2a51b3ba3b86374744fa6ab973231d1ca13e00ade9d2459e4b5062874d296a1de40e6d0a23eb4b97b589e539

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a695b4c2883a470eba3216a49000a0c9\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
99KB

MD5
b171e9fe690c552aded4d20faee2eada

SHA1
82697e3bd26b3ad3dee191fadfebe11da395d2f0

SHA256
e15780c9be90f63892a5f88e366bfd98523c232bbc5ddb53b132f2dc97386f9a

SHA512
18852ed12c6c7ae723eafe28a6d7b04a0e768adf0a51736382afc7f611751888ffa9a5f389a068cabde88d072726d69b786880cf6c8b7ff867bcdcbf1487ccb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
306KB

MD5
3fe07d658fac14764d4350503ae83dcd

SHA1
00a1ba4d3f66c0baeb840368399844c598a07188

SHA256
cfb62830247c34587f8b325dbbe550a6024a5c469b902b7d8ccfd5b528ea7caa

SHA512
3f3eb48eb8ab638b82736c9c30684a9585f6511b5091ecaf63a84365873dd5e7801d614ac7fab2e9de2ff80cb663cac47720678eefe945eb844030410051c575

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
32KB

MD5
eef70f12e9e0bc82eccb9bf109ad213f

SHA1
029f6944850c4d12b6473295bd7f245af1f854ab

SHA256
c3c51939f1bf8b199efc76e1089b4b5887afb34aafd48fc98ad0583476faa355

SHA512
621ed39468646a9690c828b0a056484c38a98113868d2e20899ad81aee6c9704299a4a8d0aee76171138106fc3437500d9e7eaac0619272fff65d8a7defb3f26

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
11KB

MD5
32c56bdf5a5e79e38eceec020c03e8af

SHA1
cc9b6a4cb4733b9e6207be5138114486b96548a3

SHA256
6e90dd81974cffae45def972f8de1dc05a364fc0083c0ca6410ce1c1fbb165c1

SHA512
d833695aa908910e636c979f941b0cf279cfb3500bf7ce4ff355ad70cbce4456a632cc3a1d7e537ad7dceff2fcf871b3aa9ee799ec6c607f599b99a078f45465

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
263KB

MD5
3f0ba9324843cf545badce6f0e48678c

SHA1
79a4a09098e9e5bd1859405b9851e084d4324b87

SHA256
1865664f21d2e56cf1951a3036968b1dde2ba2d05d922ad47caf0797b4581661

SHA512
51ca16bd9a502a06245d626b420dfba6fceec66b498a75b7633f6fb6182d8e00bceec0cdd0e387668dcf3a25ac8d3caaeba960b198d8eab0ccf868d6c2e2a9c8

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
176KB

MD5
e6200b679b85024216a20761f0b25f5c

SHA1
f43db62b49dd577b48501c5843a30c43c6ab3056

SHA256
cfb8eced8225d5906a0101ed3ada618f87771ec7c64642318ea8b3173fd1e4dd

SHA512
d9e3d80ac8308cc1d39deb3f6e0e02d0d64475134fbce2d63f02fc5cf483e1d3c95d3ac7cbc4823f51d51b2e1c36d22812d72d0287d1259d9ff8d6fe5e8f2fbb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
54KB

MD5
72cf75f10a7d1810bae0dbcf1689fb30

SHA1
cff70a9dd4a52650867698931658b0ac91b86728

SHA256
f7730b68c63b2c7ba5037fdd28ef812c0ccd2620a982155ea9de5d14fe777fef

SHA512
9b8c142a98a981ddfb9bb44b04ae4d6350a1f060c49a557b2764afd1e34832221e29eac1faf0c5d0720436fc875eddcb2000a57ce77ca2cdec91021f7976e1ba

Download Submit
\Windows\System32\alg.exe

Filesize
408KB

MD5
abeef197237ec5383506b25d3d4e8a7e

SHA1
bc186e95635c0f0c2a09c8bdbc55141826c1070c

SHA256
e3706f0a34c2272d115b34d52f5b9de01e597a430f8ef5c5730bc51162ab5337

SHA512
d026829eec02c1e7be5da91d892b18bdabf9786e2e0e70eb0182b4495eb9855466f9d422e45612e083f604048491eb388fca8c22231f79b0ad11e4015ea83890

Download Submit
\Windows\System32\dllhost.exe

Filesize
509KB

MD5
f3e764ead71ba434c592f864dee0daf4

SHA1
f0798acf5b61a5c01b4ff52e8277f4e86d312475

SHA256
b09cd08110fb8a4f5362311a442cea3ff0ebe3b8951bd2e15e5d64e1db8bda2f

SHA512
3d918e06b714c6f8d6976cc4e3fdc7cb01460fc3a496521942c9e08c30431182d5943f1e6ba06ed2b7234e524a56136e0ce39a5e8436a9a95da0185963751fb4

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
168KB

MD5
56d5f6e9fc167d1558cff58c287335a2

SHA1
16abbf6024adf941933e913c12cb0ffbe146397f

SHA256
15ab2f84e71a168e36ac5548c8640654a6d6f8f5a89c9a1313068af998f6404f

SHA512
cbeb5fe311aa8829eb79b3ca82708e7d0c571abd01e81dac35d5c1393a3bed67a321dbcad3e764cf78d852e7f6ddf89e364a509aa48e8397b4028a31b08566a0

Download Submit
\Windows\ehome\ehsched.exe

Filesize
8KB

MD5
4d58ef4571c1e3920bd97fb9c03cde52

SHA1
d6e2c2cd5b40c7a4a5c2ae721f267702ba59eaec

SHA256
c02725a80b75198ae4ad2c0a70de596e0682efa39e89440b471260330b277ea5

SHA512
9fe681fe19f6a4f055ff956588fff0092814567fe7dc65eee6f2f718b09cb14f5e4d578122512506fc9c3b570d68cc8d0b19430f4aec90cb882f4e3cac5537ee

Download Submit
memory/784-339-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/784-462-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/784-498-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/784-331-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/784-497-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/784-388-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-253-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1320-315-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1320-254-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1320-169-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1320-172-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1324-117-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1444-551-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1444-553-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1484-532-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1484-549-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/1484-526-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1484-552-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1484-555-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/1524-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1524-147-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1524-142-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1524-279-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1876-128-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1876-123-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1876-122-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1876-266-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2016-171-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2016-256-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2016-164-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2016-157-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2016-306-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2016-158-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2016-174-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2056-281-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2056-275-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2056-358-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2144-93-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2144-170-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2192-102-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2192-97-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2192-118-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/2192-96-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2244-140-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2244-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2244-249-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2244-6-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2244-1-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2252-482-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2252-508-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-440-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2252-523-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2252-522-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-521-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2420-12-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2420-16-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2420-156-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2420-37-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/2608-296-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2608-285-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2608-297-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/2616-435-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2616-308-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2616-310-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2692-363-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2692-413-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2692-304-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-302-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2692-554-0x0000000000E50000-0x0000000000ED0000-memory.dmp

Filesize
512KB

Download
memory/2692-412-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-300-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2956-419-0x0000000074448000-0x000000007445D000-memory.dmp

Filesize
84KB

Download
memory/2956-326-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2956-318-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2956-335-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2956-503-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2956-536-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3052-258-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3052-333-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3052-268-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3052-260-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download