329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
Size

1.8MB
MD5

38d0fd34a78b395dd699bdc155e48dc6
SHA1

eab2434b8df7989f7c4431e75d9bfccd520140a0
SHA256

329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d
SHA512

56fb24997ab94d6579072fe53945306678664247114f91f2703d7ac37efd25aeb08a1f14211f5eb7d2dc2b89a659a03a97fcf1ce3ac3522d1f86b2758dd7171b
SSDEEP

49152:YKJ0WR7AFPyyiSruXKpk3WFDL9zxnSfCks7R9L58UqFJjskU:YKlBAFPydSS6W6X9lnUC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2004	alg.exe
2612	aspnet_state.exe
3004	mscorsvw.exe
1620	mscorsvw.exe
2732	mscorsvw.exe
576	mscorsvw.exe
2524	ehRecvr.exe
2012	ehsched.exe
832	elevation_service.exe
956	mscorsvw.exe
1616	GROOVE.EXE
2272	maintenanceservice.exe
2756	msdtc.exe
2712	msiexec.exe
1852	OSE.EXE
1516	OSPPSVC.EXE
1296	perfhost.exe
2016	locator.exe
1820	snmptrap.exe
780	vds.exe
1544	vssvc.exe
2568	wbengine.exe
2824	WmiApSrv.exe
2392	wmpnetwk.exe
1272	SearchIndexer.exe
2552	dllhost.exe
2528	mscorsvw.exe
756	mscorsvw.exe
2036	mscorsvw.exe
1044	mscorsvw.exe
1800	mscorsvw.exe
1768	mscorsvw.exe
1584	mscorsvw.exe
2256	mscorsvw.exe
2540	mscorsvw.exe
2388	mscorsvw.exe
2360	mscorsvw.exe
2968	mscorsvw.exe
2036	mscorsvw.exe
1976	mscorsvw.exe
2428	mscorsvw.exe
1396	mscorsvw.exe
1032	mscorsvw.exe
2240	WMIADAP.EXE
1596	mscorsvw.exe
1992	mscorsvw.exe
1868	mscorsvw.exe
1636	mscorsvw.exe
1348	mscorsvw.exe
1360	mscorsvw.exe
2116	mscorsvw.exe
2864	mscorsvw.exe
1020	mscorsvw.exe
1540	mscorsvw.exe
1956	mscorsvw.exe
1804	mscorsvw.exe
1860	mscorsvw.exe
1636	mscorsvw.exe
2500	mscorsvw.exe
2472	mscorsvw.exe
956	mscorsvw.exe
2268	mscorsvw.exe
2764	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2712	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
760	Process not Found
480	Process not Found
1804	mscorsvw.exe
1804	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
2472	mscorsvw.exe
2472	mscorsvw.exe
2268	mscorsvw.exe
2268	mscorsvw.exe
1536	mscorsvw.exe
1536	mscorsvw.exe
1456	mscorsvw.exe
1456	mscorsvw.exe
1972	mscorsvw.exe
1972	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
1732	mscorsvw.exe
1732	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
540	mscorsvw.exe
540	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
1972	mscorsvw.exe
1972	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
1456	mscorsvw.exe
1456	mscorsvw.exe
2604	mscorsvw.exe
2604	mscorsvw.exe
1036	mscorsvw.exe
1036	mscorsvw.exe
2856	mscorsvw.exe
2856	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe
1488	mscorsvw.exe
1488	mscorsvw.exe
756	mscorsvw.exe
756	mscorsvw.exe
2076	mscorsvw.exe
2076	mscorsvw.exe
1196	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\System32\vds.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\System32\alg.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\locator.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f5e851668a0c1054.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\GoogleCrashHandler64.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\goopdateres_sl.dll	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\goopdateres_hu.dll	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\goopdateres_th.dll	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\goopdateres_is.dll	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\goopdateres_kn.dll	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM28B6.tmp\goopdateres_fil.dll	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C1F.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E88.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP63D2.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A1D175D3-76B0-4CF0-B19D-664CEDF16CDA}.crmlog	dllhost.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP60E5.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAF71.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE753.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP93C7.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP59D3.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007022a639ed32da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1160	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2468	329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: 33	2260	EhTray.exe
Token: SeIncBasePriorityPrivilege	2260	EhTray.exe
Token: SeDebugPrivilege	1160	ehRec.exe
Token: 33	2260	EhTray.exe
Token: SeIncBasePriorityPrivilege	2260	EhTray.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeBackupPrivilege	1544	vssvc.exe
Token: SeRestorePrivilege	1544	vssvc.exe
Token: SeAuditPrivilege	1544	vssvc.exe
Token: SeBackupPrivilege	2568	wbengine.exe
Token: SeRestorePrivilege	2568	wbengine.exe
Token: SeSecurityPrivilege	2568	wbengine.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: 33	2392	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2392	wmpnetwk.exe
Token: SeManageVolumePrivilege	1272	SearchIndexer.exe
Token: 33	1272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1272	SearchIndexer.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeDebugPrivilege	2004	alg.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeDebugPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe
Token: SeShutdownPrivilege	576	mscorsvw.exe
Token: SeShutdownPrivilege	2732	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2260	EhTray.exe
2260	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2260	EhTray.exe
2260	EhTray.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe
2112	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2112	1272	SearchIndexer.exe	35
PID 1272 wrote to memory of 2112	1272	SearchIndexer.exe	35
PID 1272 wrote to memory of 2112	1272	SearchIndexer.exe	35
PID 1272 wrote to memory of 2420	1272	SearchIndexer.exe	34
PID 1272 wrote to memory of 2420	1272	SearchIndexer.exe	34
PID 1272 wrote to memory of 2420	1272	SearchIndexer.exe	34
PID 2732 wrote to memory of 2528	2732	mscorsvw.exe	39
PID 2732 wrote to memory of 2528	2732	mscorsvw.exe	39
PID 2732 wrote to memory of 2528	2732	mscorsvw.exe	39
PID 2732 wrote to memory of 2528	2732	mscorsvw.exe	39
PID 2732 wrote to memory of 756	2732	mscorsvw.exe	40
PID 2732 wrote to memory of 756	2732	mscorsvw.exe	40
PID 2732 wrote to memory of 756	2732	mscorsvw.exe	40
PID 2732 wrote to memory of 756	2732	mscorsvw.exe	40
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 1044	2732	mscorsvw.exe	42
PID 2732 wrote to memory of 1044	2732	mscorsvw.exe	42
PID 2732 wrote to memory of 1044	2732	mscorsvw.exe	42
PID 2732 wrote to memory of 1044	2732	mscorsvw.exe	42
PID 2732 wrote to memory of 1800	2732	mscorsvw.exe	44
PID 2732 wrote to memory of 1800	2732	mscorsvw.exe	44
PID 2732 wrote to memory of 1800	2732	mscorsvw.exe	44
PID 2732 wrote to memory of 1800	2732	mscorsvw.exe	44
PID 2732 wrote to memory of 1768	2732	mscorsvw.exe	49
PID 2732 wrote to memory of 1768	2732	mscorsvw.exe	49
PID 2732 wrote to memory of 1768	2732	mscorsvw.exe	49
PID 2732 wrote to memory of 1768	2732	mscorsvw.exe	49
PID 2732 wrote to memory of 1584	2732	mscorsvw.exe	50
PID 2732 wrote to memory of 1584	2732	mscorsvw.exe	50
PID 2732 wrote to memory of 1584	2732	mscorsvw.exe	50
PID 2732 wrote to memory of 1584	2732	mscorsvw.exe	50
PID 2732 wrote to memory of 2256	2732	mscorsvw.exe	53
PID 2732 wrote to memory of 2256	2732	mscorsvw.exe	53
PID 2732 wrote to memory of 2256	2732	mscorsvw.exe	53
PID 2732 wrote to memory of 2256	2732	mscorsvw.exe	53
PID 2732 wrote to memory of 2540	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2540	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2540	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2540	2732	mscorsvw.exe	55
PID 2732 wrote to memory of 2388	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 2388	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 2388	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 2388	2732	mscorsvw.exe	61
PID 2732 wrote to memory of 2360	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2360	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2360	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2360	2732	mscorsvw.exe	66
PID 2732 wrote to memory of 2968	2732	mscorsvw.exe	70
PID 2732 wrote to memory of 2968	2732	mscorsvw.exe	70
PID 2732 wrote to memory of 2968	2732	mscorsvw.exe	70
PID 2732 wrote to memory of 2968	2732	mscorsvw.exe	70
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 2036	2732	mscorsvw.exe	71
PID 2732 wrote to memory of 1976	2732	mscorsvw.exe	72
PID 2732 wrote to memory of 1976	2732	mscorsvw.exe	72
PID 2732 wrote to memory of 1976	2732	mscorsvw.exe	72
PID 2732 wrote to memory of 1976	2732	mscorsvw.exe	72
PID 2732 wrote to memory of 2428	2732	mscorsvw.exe	73
PID 2732 wrote to memory of 2428	2732	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:956

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 608
  2⤵
  PID:2420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
1⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 234 -Pipe 1e8 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 24c -Pipe 238 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 234 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 274 -NGENProcess 264 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 25c -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 278 -NGENProcess 234 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 28c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 27c -NGENProcess 234 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 290 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 280 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a8 -NGENProcess 27c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1e0 -NGENProcess 2ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c4 -NGENProcess 23c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c8 -NGENProcess 1c8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2a8 -NGENProcess 1c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 1e0 -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1c8 -NGENProcess 2e0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e8 -NGENProcess 2e4 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e4 -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 2a8 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2f0 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e4 -NGENProcess 2a8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 1e0 -NGENProcess 2f8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 308 -NGENProcess 300 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 300 -NGENProcess 1e0 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 310 -NGENProcess 304 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 318 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 318 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 2a8 -NGENProcess 31c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 320 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 30c -NGENProcess 1e0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 30c -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 248 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 278 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 32c -NGENProcess 1ac -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 248 -NGENProcess 324 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 324 -NGENProcess 278 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 318 -NGENProcess 32c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 32c -NGENProcess 248 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 338 -NGENProcess 330 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 318 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 340 -NGENProcess 324 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 338 -NGENProcess 348 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 248 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 350 -NGENProcess 248 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 248 -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2f0 -NGENProcess 338 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 358 -NGENProcess 340 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 248 -NGENProcess 35c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 354 -NGENProcess 360 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 340 -NGENProcess 364 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 338 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 1e0 -NGENProcess 36c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 370 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 374 -NGENProcess 36c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 338 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 370 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 360 -NGENProcess 338 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 37c -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 38c -NGENProcess 338 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 360 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 38c -NGENProcess 398 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 39c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 384 -NGENProcess 398 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a0 -NGENProcess 38c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 35c -NGENProcess 3a8 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 39c -NGENProcess 3ac -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 37c -NGENProcess 3b8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 37c -NGENProcess 3b4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 35c -NGENProcess 3b8 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 35c -NGENProcess 3c0 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 35c -NGENProcess 3a0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3cc -NGENProcess 35c -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 35c -NGENProcess 370 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3d0 -NGENProcess 3b4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3cc -NGENProcess 3d8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3a0 -NGENProcess 3b4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3a0 -NGENProcess 3cc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 37c -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3b4 -NGENProcess 3e4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3cc -NGENProcess 3e8 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 37c -NGENProcess 3ec -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3f0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3f0 -NGENProcess 3e8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3a0 -NGENProcess 3fc -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3bc -NGENProcess 3e8 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 1cc -NGENProcess c8 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3b4 -NGENProcess 1cc -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f0 -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f8 -NGENProcess 40c -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c8 -InterruptEvent 1cc -NGENProcess 410 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 1cc -NGENProcess c8 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d8 -NGENProcess 418 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 410 -NGENProcess 41c -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent c8 -NGENProcess 420 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c8 -InterruptEvent 3f8 -NGENProcess 41c -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 418 -NGENProcess 428 -Pipe c8 -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 418 -NGENProcess 424 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3f0 -NGENProcess 430 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 434 -NGENProcess 424 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 414 -NGENProcess 438 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 410 -NGENProcess 43c -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 424 -NGENProcess 440 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 430 -NGENProcess 43c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 448 -NGENProcess 410 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 424 -NGENProcess 44c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 414 -NGENProcess 450 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 428 -NGENProcess 44c -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 410 -NGENProcess 44c -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 438 -NGENProcess 458 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 460 -NGENProcess 428 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 450 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 410 -NGENProcess 468 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 46c -NGENProcess 450 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 450 -NGENProcess 44c -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 470 -NGENProcess 438 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 46c -NGENProcess 478 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 440 -NGENProcess 438 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 480 -NGENProcess 470 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 480 -NGENProcess 440 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 474 -NGENProcess 488 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 474 -NGENProcess 478 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 484 -NGENProcess 490 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 428 -NGENProcess 478 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 438 -NGENProcess 498 -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 474 -NGENProcess 49c -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 474 -NGENProcess 48c -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 488 -NGENProcess 48c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 498 -NGENProcess 4a8 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4ac -NGENProcess 48c -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 490 -NGENProcess 4b0 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 474 -NGENProcess 4b4 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 48c -NGENProcess 4b8 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:2836

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Local\Temp\329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe
"C:\Users\Admin\AppData\Local\Temp\329122deefb10685bd94bdc11c49ffb32722f19b8a1d792b6028834e29829b4d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
- Executes dropped EXE
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
55KB

MD5
854a8f14643ad7fb3cb0de9f94db8def

SHA1
8c3b1dd217de596b0302923853b535df211541f9

SHA256
64a00f8faa0015bd96737e9d001b9afc44bdb8b64c9eddc5d2d56d034960ae1f

SHA512
a4c87df3d9c1d0bbdb70172f3fe8a2a773db4bd7bb972b7586bfc3dfd8ad84090f49ae1630d8d8aeb41ca4a2c992ff3697a4b84fa851fbeb6fcf0b35c3d56218

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
11KB

MD5
4eb0ba2262c77cdfa324a829e8dbbeba

SHA1
950248cd64f62698d9103ae920142588704916f1

SHA256
c3b69a233f88a1973df195e53e8f11b6a927c5f8aa8d3cf11fdf55bcb03492b7

SHA512
067c4c4b06a0ec266fbfc9d2a4454795d4489536b0f3c8acecd6bee68afa57f71d46573fd7c38a604ad6593a020336f6b1ea7dc6b9fcc6b1a9de8deec00ad353

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
24KB

MD5
26b2400f232cd94455b228cfcfcd17ac

SHA1
d0efab4ac7a272b82c0c2c9312bb61395b43169c

SHA256
2363effc0bb30a73518bf3fe58a7ed5122c0459bca89d1eb5f8e3ce25f9fd641

SHA512
8d7be984900b33e584624d9625ab6367239de52872bf99d0e059ca848fd92d38053191d3540bbd26260f32895ddbe436a2930b8405b60285a8edd3e5133a6ba5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
26KB

MD5
26825fd3874fe419e63f7e1e65798392

SHA1
1c3e260be2ffb7a2a69db36b7ac1a5c4a69e088c

SHA256
1acc5846b25daa7bf52e2bb20909d1205c967fa6d11f5266ec8eae2ee221ea40

SHA512
dd815fdefa7cd8b75aadc42dc78a082b5cb5a5f8184ac7d7096e7a8ff7826bc1808c43cc98072b866822e78d7421adc5c76eced63fc5b50421397f5e1785e88a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
0326d2811945db2257068adbab1f032a

SHA1
a0afc9d4fc6f148e4c69a618ecfd1c0505191ef6

SHA256
23b6950d6e675957dddcc9d0638cb7d4ddeab84ad26bf842a43f6361eeb71205

SHA512
6b426cfb88f3a5d6e4449fa5c37b074907219795015ce0b64745bd387e1901be75172298c9f23b249bad1f3280f84b31cfe127a923cd202f3c6ad7ebad2a6157

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
76KB

MD5
a5e3d183c30fd5209a28cb3037226d22

SHA1
2b7a3a3b6783404e0609b149c4e3eaaaaf1aa50b

SHA256
da94b6c7996d2291f55301f24a79b8478a24f4517d96df6ea96f5b6a8e03f1fa

SHA512
5c461436d12f0601eaef810c57905a5cb1c8e50793b337250d029096e1cd789bc1322ec05e6bfff390384cff6858a9d0597c452b9de5605573f64af5bdbbd51a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
51KB

MD5
4d367bcc80d65cb834f644441370c626

SHA1
87ed84cec7ec81ac8d323a3c0655d547023dbc12

SHA256
d53657f6b81795b951fd8adc0257d428d41851fa9b1bbbb77ab01d3d5fcaa97d

SHA512
e603a0faeb75d65db0c8771dc03eb211b3320ba7896b131c43e6b068a00218043cfcced602b8051fe58803b7c026557ad9636bab0927ebe3700f2d0a67dee36e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
14KB

MD5
2689ae1a790840e5a67b5426c142e806

SHA1
a3c384a30504292686b132d6aacd4b976e5019a3

SHA256
b9edeab37d6eccc4dfcafc7671039a6ffe9e7d7b9310ed0da5d187c98c36dc53

SHA512
aefab0651dc768d03148e688ed91fc6c0a2ca7d693ced98ff5b6d393860f1f1e453b3399bb952e3c873caf7e195f3fdf20981bf80f4f70308efd23d248c54f61

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
427KB

MD5
e8eee7e36f67d4a5417b55cfeec67468

SHA1
5e4a594af21ad8f88c6dbbd6995352c84ddb2fff

SHA256
25ee3cae7ba519d47e0b5eb5a0df16a3572d077ea54f2b842aec3c7064a73b3e

SHA512
daaa74bfce722f07526099aabef2bc49320d0e4c7671abbda883a23dadb9a39eaaf29d6dd6f14dfa993f984194fd54fd4afa67da4fa95c3670785b9088795683

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
482KB

MD5
0587779bdc38e956a3bd02d5503d3f1b

SHA1
6b795cfff9ea184b1c3cfdb8c8e88f67f60dc26f

SHA256
10a3cc4adaa45f71af094185351b9a46a90f80b05174417d8069c0af0121af21

SHA512
511c624cca666ec31da8fda8d92e45eae861b743af94383a15ed918cd7eac5154ec30dd1314fc8f3a71a251f83e5e592d496303300ee229631a949e88d921017

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
412KB

MD5
d7862c459158d8261cf9e77d4a556dc9

SHA1
6cc4c0e0444c0ed43e8265d33e307683d8e1865d

SHA256
368992e2655e705c368bab82fe62e13cc28586750abba7367cb99ff9eddf6885

SHA512
3ebf1dee5f64f7a823f8890b11032ab9466f02a14cea5f2401d2a4ca4919c7da9e7d0ea2226406676a7afc614b412deaa31267640fc0a965ee78cae4df8db507

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
620KB

MD5
5690b13b615882631f9dda7088c86667

SHA1
ff3faebd31b55cf1e68941198f3590c7c29de017

SHA256
47e429495aa2b74ec1d47f41dd1739b05b906b1014d0627cb0c37de545639157

SHA512
af2728a8038b3592d6c43c549bfe4025a7bcfd4d445bcf608a96939ff19b925aeeee0742a1445993328f6c2ec4151e4087f3c567a6b9648c205478b7daf89ff8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
1.7MB

MD5
b5952ea4dbe10ae0d3cbb17380b94c4f

SHA1
50db49728e958689e87cd64730b65a03d8b5de03

SHA256
99ad45b6f7063eae75b2d75562c7d943f2c7ad2260eb3f9ee4c60f9905bd5fb3

SHA512
43a180167e06a8503405396a1e95d70ff24616e25a418e270e9fd0eff4d4a6bbf126747386cd65c154dc962bf1e5251fe77d93dda048de51727b395fd1677510

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
133KB

MD5
0bdfaaf1d05ed6d60fae2e5436e20e0f

SHA1
3ad5a0acc116c6b4baeae504d8103a1acab83f6f

SHA256
274fea6503a0f1623938c804f73ec93e6e03f5bb02bb91705162c31503305156

SHA512
a4791df2c78640a3dafd400f4c1d252825a024852767cec94d325c09b016b85ff6256e22077122b74874b1f7c1ec329d4117bf7901c970e3662cac175082a6e3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
202KB

MD5
70835d8afdf3f99a141e16fe7eb1f2e2

SHA1
ce7ddc921badaf790ecdcf0352cc6ca1f661d2ca

SHA256
28c7cef44b06ab85c725edf7ee96bd233703de4b71a9f3ab0e9cace49a8fdef4

SHA512
dd4e70b20481cad442da5b6cf925a1d9dbe1cd178954867ca021675148407f5476744f00a9d9ed9ceab5cc0bc8f7d5a8dfcf36a120b87a50d1d705de855cd98a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
212KB

MD5
770e52d04d51a20ea1ecab6cad609e8d

SHA1
46af0d4d3bcd0b46a6e7f15c4943b6d1dd0fe0ae

SHA256
58dcfb9496fec22d233773b11327fd6bca34f1375b8575cb82da3a165e58c780

SHA512
a383649f946a32ffe6fc069b1359b36284e68fead2af27d6d6f320677557885c2925b4058f5f5ac85c5f57f7154a09c3af39f4d1072aff9cc3d405c15ddb6f29

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
120KB

MD5
4a1dece6c685552944c29b49e5d29e2c

SHA1
bdf4c5a86a4e908e61e7aa7225d43b244561be14

SHA256
f27a9cc71e9d7376920bc34f50bd4c1ad2590b2c75491a9b90216fca7f7458fd

SHA512
abe9750dcce8de80efd657b0716ce2641b31d88e37098532ffdf90719e94b7b5a4c9140c40bc03827cedcc91f08a60defe912b7a9706d8988150e379bc7cbb3f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
97KB

MD5
aac63ff5cd40eb608fde22dbec94384a

SHA1
b3a9edafe70f6e5c034ac2c7dd2d1eec2a401d98

SHA256
3635982c0c41a3c95b8015743d096b10f87eae1dcd5777d18b7cbeb549eba047

SHA512
431208a62b88905fd432ab9b2f08a9500c1fbee6743e98ceee15734a44462ff1b7a66ba81e2be2a398dd44636ba1ef903450e4838e686483f14990a7462e72a8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
226KB

MD5
f5c6c30303997fbf4973332a50552bf6

SHA1
3bc58b190e498e622bab8759a6a6be8ca335b291

SHA256
efe81d1d79539c61d0d3e34634eaf8dd7cf6ef1e4d1fd73a4b1e61489709c7df

SHA512
db98c8b05b4f66cfdd32032051c82c4f90336892019a53deea9ff8bc8e9d1e1bab8b68276be44fecbe0aeea1876131f50593b6f1b6aaf523138cf9d89019b6c9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
179KB

MD5
0c8aa541f9f6d6a7f9e3483ccae608cd

SHA1
c17922f2615a3d1dcd84685188b0c7bc256eb3ac

SHA256
46a8528aa1946b10ba497dc1c7e85dcdcdf1b42a38fc38d5090dca31ceb43092

SHA512
21ff4eb00daeb037ab9ef309e7afb1ab875e73b180d5e8145bdbd15a58160e0f18daabdb211ffb738d3e82a0c20dbf74a85c088a875fccd96eb4ca753152ef4f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
790KB

MD5
89592e1fa18935c3fb61354d6a27e7a5

SHA1
bca9f9488f0d4e6b5039835c4b85f8e38adb2dbc

SHA256
140fbe16d4c44212fff86f29d8f1c7bfccd0c452cadf2d58a34cddb6f6e33a8a

SHA512
b08a56527d44ea5e136c05f440e7a1c457acf7c95f8a9864d54b4434dec6cc9dced0e6e38340709941ce951e52db4ea77fce9ea8da4ed152565089cb596fa1ac

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
64KB

MD5
8d6cdaca1ecc070551a9861a5239b3db

SHA1
84deaa8137c8b1b9d4e0d42fbe81fa7b5e1727ec

SHA256
f93c94531d851678c0a2880d8874fdf91dcb37daaa3218316e4bbf0850ca172b

SHA512
857deab297e272ba25983725e83530797c1df596b7c57727a2f157792bf96cc6e65e0d9c540a709d5a25cedd530bdb08acd2eaa5aa0badada31754ebde2fae90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
117KB

MD5
6770d024b691fbf7adfadab44e5f896a

SHA1
8217aa609c03c8b641acc716f8d1aaa479a2372a

SHA256
8d2f73cf518960ba56703663709d5ec260385a1fd28459e0c2a8151cc254c7b5

SHA512
345878ab75a6184fdde4425cf61a42096409d222912bc4cfe03148e25a02650dd9fb8772e9a3c32c1ca6ffb5a1b3505dfcedae3c73e4a2ca037d28f6f33d2464

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
196KB

MD5
eda0ddfa045058b1e10ec5c708203591

SHA1
9bac5fe105b0085a425ee30131bede7a002f7e74

SHA256
cf95a9115d214c886d66320f2cd79d84d0d762aad96685021f5cd3b604ff8896

SHA512
d35a9361f0b156e2662fdd220903690e008d5f45b2c55ce76b7e1074519dabfb9309e53dc53f134133940459cf2935f7d75576487c7b7c99a5e34ed64136ead5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
104KB

MD5
a63e48d8942e9bdd78c4c2d3980ff0a1

SHA1
d7c347f5a66b7011f537cbde8ce075e4a435fa21

SHA256
5e27c64553fcdf746aa3272833d57e5331dd4242f5fee472c1201a487f66dc1d

SHA512
61c8a37b36fa838ca9058798769ec8f21f2d2196bb1b0999f2f9eab78a96a022f2e75575ee1160a561373b9fc18c0f194054e7d2f5139bc6647a2d4708465529

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
45KB

MD5
1c30cebad840e58d144506bb45ce4dbe

SHA1
c243e43516ccc0c6b698c6001a24b8b5d066666b

SHA256
bb1153243b2eefd38cc2c05639f59f1c054e8d8914d50906811d627bfecb49f5

SHA512
91d7d48a49a2f0f1f27bb12841e1f2c9d3fcacb3ef8bde2a1cea45b19c94089bf0e0e30b3c36f3a793aaf0771da99358ae094610412c0caa78326621406cae32

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
129KB

MD5
b5a63a06221c409531629e0660527d6d

SHA1
a487a05f30cbcacba35abdb77eaaefde139c7caa

SHA256
5876da7a122b51f728e1fcfb55c536175442d8f1daab5e5dfcc10611e6960e2f

SHA512
117d43f94d4c0b40c081e98dbd3644485a9db809d3b6fad5a9934e2abb8f6047057a5ee3a82a57df6ed94988794d2f28a0284024fafc917731d38f4cb1f07e78

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
149KB

MD5
29020cc55bd208bb69efc20864460727

SHA1
84b81c53479a184010f56d1db2351845bdd655e2

SHA256
99f7688c2f8de256878e1f84acf18efe0e510138def376a2ae39802306019f2b

SHA512
4c77c2b464494eb56bc597b8a090fdf17ff08a416605706d69b45491833082e60337bc730df7172501e16c4c34ee755070802adadda0c925efbd21ca80f1e2a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
197KB

MD5
c9aa4d04e05e0435c860a1f46b71b7db

SHA1
7915c39e63c4f611893b1dab5591560e3a4fc722

SHA256
174827859f80227ee75fe9b3e03d23eb8642e89f3b3d2e538b5be4ac151d46a7

SHA512
e39682051743036437ed68b216e77b141d5eb6239db4abe13c4f247ceca1e7c62652ae0d717238eb021c2dfec082db50b55a8dfa7dc8004b60f5f8122338e717

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
136KB

MD5
bdd372f8aacde0f947de26ed000f78e4

SHA1
10c3d4ba2edb3bfb8c4921565f59aacc36a28d48

SHA256
1cf4d73d77b831856b756adad2735af35c940b06acf9c69461a31d410a049aab

SHA512
1f6056b658957c58d7221467bbdfca025759b325441a4dfb92ab3ae7ad7b6180a42728e2b616004d6629445f5552422c7176bcb261c886dd26a3bb3384e184b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
191KB

MD5
c057133590255ca7cfc252641cb0fb40

SHA1
6d4393c052732772770e4afdfde8049a6d75665f

SHA256
13321429a9d5ecbc6cc6b45bba1e40d547d37cbaaa852380ef79ae635faacd02

SHA512
db65bff60b1508cc4c04c5c403fdfc561a3714c33b5bb5f67608538663f4b05f65a60e09abb7a55188e33c0c7bfa788f40374491f82ce91078c4aa804cd16552

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
126KB

MD5
7ab0dfecfd6c415b56cfc75fedb455e3

SHA1
ce6c290a0bf0eac6ec7d146bc114f2de71c28dd0

SHA256
fbc02a194e13fe3b1b9f2c41bf4822dc607e358bb9fe4779fd721f93ed75a81b

SHA512
caaddcabcd243767ba0022d32784315d1724b1144470de7583e109b41d7ac1d4614adf8d1cfdd330fc603e0f5039c00cfcc52a594f3b58d42f855fa99cfd1b58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
146KB

MD5
3c6cf715ccfcddff70aebe3042b2682a

SHA1
af5c89d268029a14b3f55f4f1eabd66d1caa8819

SHA256
0f8ce5033690927fac066d9744ece3fc35a45ce8c84d183fe00606f8b82b6ec6

SHA512
d3ed16dc00ab3e37dfc9fe1e32fd39ee74b242a56239c63b64ace55b68de73b101150aefc5159a747fe8cb0d4a02d40cdcd173cff0c948eece2eebb9f1ecfb5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
17KB

MD5
d8ace04d0f74545b8bea4a52172ea716

SHA1
f29e6a77fb1e781535f557d10eb66ed41d4ed52d

SHA256
459d473b48f8aff825f0d6c124388f3c612e753746a99289a929f79579255a83

SHA512
a9a15d947ae3bd76a0f09b58d9c0c78bd67406d1af1f8e3c5b2bc6a4f2ffc1e821b13c56bf1b51ec6c66bbc7e81424a4264072903f7fd276060305b39085fc75

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
18c06a5f869bc6a758ee3f2b0f3bfe3d

SHA1
6319a1b7ef0e87d9477584697b89f63aff9d1695

SHA256
ab774da4ba596647789344db60dc3d5fd8cf8bde5637c6cf6725c7c7e6030fae

SHA512
c2512f3e1285fed36640b28231ba62a4eef7afe0dd8d97d34d1c544bc3b12a0f7d75852d52bf0956c7d6d9e20d94cf37abeeafa023c3600da40dc51c34deb238

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ecd6ccd6f43045bb495c7d5b03349efc

SHA1
d8f84765285b5dd91c481a2d6852f176d0762c46

SHA256
171492f04d902b06441db071c769b0161f9d01ae2f853ba8e8ba323ccb6a7977

SHA512
d2b57e1708101f1c355261aa79de622e73b81b2219197aaa50bef353439be985f34efd640bb73e6f422d23c57c8b2c0bbcfd6d19d09cc52a531c5108e324f172

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.0MB

MD5
51bf3a21a54cfd854f011db66eb2895f

SHA1
c2534504f828ec113efb826691356b62d6f0e551

SHA256
19ec1b4ba9dc5df6cba9ebfd9d2204538c2fc1454fab08dc3a68c3f5a9fe4009

SHA512
cb8fb7361ec99c76d1e8ecec6ac164658766214f88210a1412b719951210fe149d00533bd50c0daef667d70241d84fe4bb39fed7699caf5a6b9c1408a77ae8ca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
69KB

MD5
ac8120d8cd2f9b8ab546a6b4730e038c

SHA1
70e2163dc92391b41a1a4442b382ea76b83ca819

SHA256
75ac267cb8c624689c6befd528fe3b665aa6a7cc7ad71478231acc239fbc5d9c

SHA512
3b48f98f5270262afae334da6630774c30ffc35ac1b769cc5077a3799bd31217eef3ee4e491a415df305f6fca4ec370fce6441514843b7dd691b6d8dad790539

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
64KB

MD5
07f555b9264f2aa9378e9407a8f5cb6f

SHA1
b61acc27543598a8c69c033a698190abbe26c0a4

SHA256
b41351dd2e1dd934f4bf165071b8b7a02cc204afc7b1d3765d02ae800609abb7

SHA512
ee8fe6f8c13a31ded7b6469f0810c97fb45c9b59dcc2fb3d602db59a95be5a7da1c5eae4c593fa06b90cb99c7dec97a01ffb4535886801076c0cae90e3ade100

Download Submit
C:\Windows\System32\alg.exe

Filesize
98KB

MD5
43b2453ade160b2f00bb5bac2bf7a9bc

SHA1
795175823130deedf9e40ada46be9af4f2e4a540

SHA256
7e02717222e6e29004b94a1903202c8b3fcbf257a398d445af0de3dfa0098cb8

SHA512
c41bbc3301a0017bc41092206d310c0428640d01d7614de5f48d9ac93a10f279881b4d67b6eadcc4696801f10c3ce6a6d0574454fd5dc95147ac6b8b8a6bcd2e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
9KB

MD5
dd7a804f0e49adf712273c271ecd1128

SHA1
35cc3fd8d6921d0518e3726bbac91619c6fbab2b

SHA256
917ab3efbe6637d98e406dfaa7d409107f6d130c94bdc7ccf5d3585fb76eb48d

SHA512
08d7e95f902cd5db13a3c2a0db3687996a4d3823dfa6eb55a34fa38dc4bb83cee27a5f04e304d252667055e5dfb298b4ffde0ffcccb5b1ade754280bd015c9eb

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
85KB

MD5
c1042bfccd14dd840296467777ac562b

SHA1
0235753310604125817bd83a9ae6e33bbd240182

SHA256
83383e25dfaa584312bb00cd1a3cb06032eece4d0eca98b43491edaf8aa2f4ae

SHA512
4040f3bd04934e6e2186f49d7da2c3036a1f5df596ed7693b45a480271e7bb15b92fa896fbac15234a14998e475c11abb29df962aa94ef6ea2dc8f3ebe6b1925

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
162KB

MD5
970b33e10f994ba0a0e07faaf12500d2

SHA1
0f393684cd20f0577e892790d942e5055c12d88d

SHA256
4986224feadb7d33045cf4995bdb5e17aaff18fdb065c3714de35028e99c180e

SHA512
380c86d61a9254a1c79fcc4da4aabdf4f27974413bb990d30c8c7fa43bf34c9deff4d28fed6624b9f2ee49546fb2d8cfab90f610c4f7e0bb69856cb6ed2db105

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
86KB

MD5
ef5283c22e551a37ff6d66896172690e

SHA1
829c01b0301827b51615fa2e9a5fa93343ef8239

SHA256
3c2ece09005e8fa83bddac811c93bf1724e6d6b7033edb7e8b99b291e46d144b

SHA512
293cde2029b19e51f4fa5adf10116c7b11a70bc5af94dbc2268891ef063fdaf2744f2612ad59edae8452a084b20457acbc83cee5bd4061ee6521c821699da01f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
571KB

MD5
49cd434cb1476611d0a8ea8086961893

SHA1
2488404f14b32ea7fbc55b6fc7fab41e6ffb3cb7

SHA256
4543c252416fdc9a7cf7fe682b4c3d7a3ea9115d5fec3ab800702c1ebb4fdea0

SHA512
f8da894ff778403fa8aeab3510aed9bd115a3198df3c41a8f99a580d60e5982ca32d9dabd4e6250c31455807d0b090749f0e8888abe133b74733c85ec43190d9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1020KB

MD5
bb105f3394d55ca3582d2fc0272c2692

SHA1
9e456864043d7b8196887913b689ebbd02012485

SHA256
ac9df90bcdd726cc930523cf94e349a5b4c6408e7dd3baddd9547ddbbdef1f2d

SHA512
dfde5940ee1043edb2eea4bcf7304dd9e60ce7f2a613d453b7a5a35997d8414cf14aeeceb9b2586c4f71f5458a1e314a9d61a50f36b7bdd3854cdd95db0c8b45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
833KB

MD5
3d5e83fda4a94a08b9bcf467a904ad2d

SHA1
c5e28bfe83aa4fd4cd16cd41f82ecd8697f57ec4

SHA256
01dad6075d9b9d7e66c9a69fcee9f441173a569148c986f818dd7276c8084703

SHA512
966a768441f5884bda69b6f2e48df0bdc3ab4f4e596a68f0d370ffe6827321571086c42e75b070a96281287215d562488bd742daf4d97ae85fed1cbca8f9b0fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
670KB

MD5
449621a2106af1116f172aeed633ba0e

SHA1
85b498f6a41086922641ed97c3511ef28d8f8dbb

SHA256
cba41d69dd35dc09d63e074ee52e7eadbeaf564bebffd2d88b7ad040dd70e72f

SHA512
98c640f95734c6bc7170e258305decb94f6eec575f34ba76f8aaa3b5e5e6ddffebcd46a0e0b589d0dbd85f113726b7a4676cdd9ce881d280ca2fe8d2d0978407

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
158KB

MD5
a763a9348ab4ee3bd593bb17d854e51b

SHA1
4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9

SHA256
b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b

SHA512
e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\44756f1c0fae37ce5905bb79b023453a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
466b66bdcf8ebdc0f2add557241d1ab6

SHA1
1a791e6bb47997d5c93e672e0a63df8993bca741

SHA256
4fbda176e8f6b80e43373b135322b45e3241c149d1faf320db4dd401a29f10f7

SHA512
193e6c98b64aef6703d2161b49d4fec5b73d03be565e246c6b9c988a43c0794e0c67e67e5df9316fb4996621532c419a977ac9379cd96761bcc34bad9b0a230f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
118KB

MD5
dbb47256e3b91ac062c33bda5dca0901

SHA1
f06e7e438e8005878be7e2093f2d52e5232a9b54

SHA256
a8a468e0162149442ef84194772865fee5044a6373326a4d32dad36535024560

SHA512
b58ac4e7fb20a3acdae99c7912231315b991840dfb4ee33412e9c868a7aa8ba03b274f00091b2082a434c9bcf3bdad58df1c37b98a647775932805f77708e84e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
320KB

MD5
a9eff13b07f34fc9640e8aec9d7c6882

SHA1
c165aff6294543a759f0cbdc552de9adc6aa9f72

SHA256
f05e949ba9b2648872c2ae94c178b3159894b26cd8b1fee3ae96c661cfda62f0

SHA512
a6385c3e9472408f26679fa4a10f260f76f696d6a27e589020dbe9c274bf25a1894d41d078202787a92152824b6fff87006381e1becd4fa31b8a10e8e237112e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8d8cfe3c3809b3acc2c482223ebabb69\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
b96a072e376b9e1bd0fc51396833a769

SHA1
ffc51771d22ab9c9caac5380d584c5ffd0a29198

SHA256
70477b4d7e787f5386402d4e091a223f4c9d678b53e4c29c20258cc6f66c9d5e

SHA512
4eaa6c0bdcf7b02b3d9ab1f0266087d6ae92c2f0377a6f0f0c2c770b2fd065a3c0435d725298bc6a941efa62fa79dc89b8edd125c737f3d0acfdbfc5c538b1ee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b7cf094043c5b0c1a0f4ea1eb5aedc29\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
9fbe4804680687a079e9104e0e5eb12e

SHA1
0ecd894712c34dd62d89a9af6e396d11eaa76042

SHA256
6162e8ffa8848fd018b790ece86d010a588558dcbaa5a13afdf49831cd71e37a

SHA512
e80622c6da0ed34d26ec0022b622ade3bb2d1db28dcfcc086b98d6cd00fc7fd4918130977f4f234aaec0917160feaef5aee78bbfcfe44e78f12701535ae381fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb3a3373437b0e52e0fdf35b4eacfd02\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
62d3c08b40c4f90b1c0e8b9f1964c250

SHA1
291791a977eb47fce6405fa28317ae90e519fc73

SHA256
fa9f33e622d34da88f584972bc9153d6e9b58bc3715700e09888fe80cf2cd632

SHA512
cf879b4630728df5aed147be2e351cc1908a36b80c393e1776c07c31bd9a4bf14e597b7af5f4894a04389e804acc677ea1e8d25fc87ba3ff5a9b3692d2c3c51d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
141KB

MD5
58cacef7cbc000bb5ddeedc08a598f36

SHA1
f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7

SHA256
124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270

SHA512
9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
838KB

MD5
d2ec7d2c7d1b64bc21e88915f9fb6a6b

SHA1
cbc0c4fced8069a8b10761fa3d3f2835e1145b3b

SHA256
b29578044edec122024e15545c9ca1ef70af6e987ee81ab446b1c9c13593b4f6

SHA512
c28773d623660baadb021ff7e753bd4514edeafbec4e1666c00aee0609528783e3c0c8d648b2ee4bb201f8832f3fc1fe6986a0e0a2a676ff2344d9714b90fa1b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
279KB

MD5
2ccd80f58ed2831332582da3dad7786a

SHA1
b33357e2674e33cbedb188230d2f32be352ded60

SHA256
24fa8ca59db222b6b9221aed153a5f081a0f99c6cf6cb85bc259e2cf27b2a972

SHA512
b5142f39ed41efebbdb0b0e246015413513ffcb091a2512719ed677cc3f5aeba76c87593aff6b3ab77785b649f4b1672faee962a6318dac89078ee2a01bab53e

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
152KB

MD5
54fd79d86f7a151e0a9ea2442591a0d5

SHA1
be2aaeef819965b6438f87d2f841d29ec4b71051

SHA256
4b0bf9c60ccb5fd07b0f01821a01f5511e26a077153d6a18cf9bc65f38c5ee75

SHA512
d3a48cb25098546a530821a26a821c82bd04118f260e420092247d4abfa0b21add24fa5127f7b6f205d62afb7e6af98e0efdb470978bea7b9a9db49b19f21acc

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1KB

MD5
dc8a35af63c7a5ad0093506e72c84481

SHA1
460da6e6164339d276f0483415448eb921100394

SHA256
1df0d27003ceae5a62897f84bc1ebcc4e4d92f17f4f0740f3a18d17c322f7e12

SHA512
2ef3e84e6cd2f8cbbd478917f9e45c35ecf79896a4905f5509b55edac87e8927616f6a2cde9bb134a783d983c4effe1c008af7c4afeb6e6cae4f58412c014030

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
55KB

MD5
2b8f849bca136d62edb8291eb92b9463

SHA1
40ec99a1ef6ed9034308b9cf69139d23ed5bee7d

SHA256
f6550b34050a2d98f89a538cab7e4e1975d14cd9dd52f3b49818b67e139af095

SHA512
dfa7a94114046042b5babb865d9fed6264e74d2b4b081734e351b831e66064cc47e043f5d15c700f82642d21634e835bc7e6a68744c2edad05a8bd4d95e77f97

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
55KB

MD5
92b89c6d10f8d966b4d621f48be5480f

SHA1
5be1327fcad6d3a00a33f8c374e6842cf684a2fa

SHA256
02a23290d3f9397a74476e0d14438b5ba8a4da8a3575b707c5dc14dec73a5d0b

SHA512
57ecacb32c662c07f4705062613f363faa42829f638fd0eb5950f6a920170c8c2e46373340fbcab7cae1bec50121a4c726d13ddc93cff694ccf51cf80e719ec4

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
22KB

MD5
ae1b8d340a9caa44a4e4336dd7661c7f

SHA1
9c309bda43404e3c27819222d5df8a3dc6d6f11f

SHA256
47d3260071f8af999e0353eb4c3b46632af51310c8c7030534a87425f4ad4c18

SHA512
f56f9f221794818589b444445667ee978015cc83f16e4c1a5bb996dbb10519b56a093c0e5c862e64f4452fb581fcac344de73ccb73a4105205b05b45c5b69d0d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
439KB

MD5
0725ccf15f8104c5a9e4b2579603d538

SHA1
cc91da2de17e23433f1a11a04734f46f4f97f020

SHA256
d416a46b677c54c666b574b8ac106f4f1c64903affbd1c3c3c734a77cd781098

SHA512
8d18b8255e7e7f4848ba253f291eb8294829689065a00ec55a8046c063c4d8d58e963f7b61c3dc0d1bfd3aaab3dd4097b32f6c57f015832da516e890600dc91f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
193KB

MD5
9ab91a683a1b616021ff097c9a5177be

SHA1
341c794bb84cf98e0eb4680d2b4543b14d239830

SHA256
27ba3c4809bb15b91a3b5486df24e7eab5273755f0fa471e432b12c8f0633fa9

SHA512
8d0a6fbf23e7e283fd7f963184c7a023997f571edaa5508d10fd8cb9fd859741f9651313be0f17c349077fafb315fd9e06bcef96656be848e69858f3bd3dc702

Download Submit
\Windows\System32\Locator.exe

Filesize
19KB

MD5
aef1e4c32f287959a76a3fe6897b5436

SHA1
726bed3153479c116668a3410fbfb37ed5e7d915

SHA256
dfc189c9fa72ede15d56d8dd769a063ab53ea03902a417fc3165d5f52975d995

SHA512
3e80d0861bad8b25b3bd002c8d62e6c04655f6512dc90f089619b8a92fb69072264f4f927f69ac8b61d537efbe80918cc0bd7ffa449fcaf8c33c9fde444d9438

Download Submit
\Windows\System32\alg.exe

Filesize
271KB

MD5
d957a36e01f38905e551b03239c43a3b

SHA1
93ea6a2bc5b0dc7ccc67bae51b21f19bd0e191fc

SHA256
350a84943254674131b07273aa9415ea1440fb69189564664770963878a5c3ad

SHA512
3e09a077fddaba00038baa563db0fb5f75848ad4a9a9cb064eb0ce046b29dca4ed2cc2e4b73e636c764e296f87306df599813d64583ea2e5061d824c32647dad

Download Submit
\Windows\System32\dllhost.exe

Filesize
6KB

MD5
55c2431937eefb92b5df74fe081e0dc6

SHA1
d120c1a8328f6f360e324b6b3ee26f9c9ad0d0bb

SHA256
a33b9f0bc802fd2a0760839ec721ec88f3761c73f4db7ec52450786945a60fd0

SHA512
7c9da9349cdbde29bc473731947f4e9632ad242ec66c03bb21294f843e01c1b8591d1803d74514cae36beaad05d8efff05af3227d925d92f48c9c339ddf6e68d

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
62KB

MD5
adca67c8e71090a6c8aab51c353588fa

SHA1
443bea009f34ec0244c841d19e367270faba7c68

SHA256
2312f0bf19e265200998d9f9e7dfaa9bc4ae4cde83bfed7332ac12f5ec47c04a

SHA512
f2ac013cb444da4a3838bfbc2abe7331d77ae34c512bc5555c5cd1a44f61d6ba6e2d5dc3310ecba5c01e22e0d80a3d8afdb5d62c24d3d2876a8f558364cb82c9

Download Submit
\Windows\System32\msdtc.exe

Filesize
153KB

MD5
d4e2e66e22f1e33aade5675db04acba0

SHA1
b63b17061ca9c10c31caa7a26b88ae94f7b658d9

SHA256
0f20265e31e0e116d2e03d5cee4cbba55866ea13c3a65b684e9a1d8fea048c54

SHA512
9ddb67589e73cb53e840c4c918f3b3e6ddeed4884c008e4e3cf1a1850aca8ee8013b5ce16f7e60aaa52bb1be05ef77044c19061c978fc0f251381160fb04ba2d

Download Submit
\Windows\System32\msiexec.exe

Filesize
281KB

MD5
b155549e7a6f436e89adffc93b607916

SHA1
f23dff1044c8bec679c7072452ee4f5297257ca4

SHA256
26253c2b3ef1d6f916c338c5bca890ca2f09167676988a434712be5aceec80fb

SHA512
2374a516aeb68303d2a41c6247ed67ca3c40e301175de9eda23652449e51ae07b16583fb3dd3d5c423caa5c2331b366985ad4b8b0714f06ba1494e30db2e0730

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
96434c411881df70050ac34e80dddfda

SHA1
8251ec2fc10cbf61780255c2e3e7a0ca66698179

SHA256
5e676b9b030cd6af48700025723e0fe0150da389b8beb950b86751224445973f

SHA512
e3a551fd3fc668aabf9b490be17b1fdc35136a10bbb4917424c0294ca4473dce357f3c9567fa854dfd2a281afaf5ecd62305051f643d13a831ab880ba47cb189

Download Submit
\Windows\System32\snmptrap.exe

Filesize
51KB

MD5
7feb1ebb3eca8c9dfd74c4eddf30ef98

SHA1
d4790e30865be6bb638b90b089fb47ddac26b88b

SHA256
067149dfc1c1c34df6507757c2badf648f024ac6bec6cefd39886f19e9726046

SHA512
871ab5f421389eb401479914fa4c572dcd1428507849276cc13e174aabeb624dc65443c6c46c2b4f50e193a859d1e6d0e87b6424611c89ef4b78e6c6a8bd7aed

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
32KB

MD5
ad46749246026975b7db9a1c7c39dbc2

SHA1
9f111c8a827e3a3cb631f787985a13b5fce12f99

SHA256
ccdc78faefa8a7a0f6d92dddb2565f3d2be6484ea147d9b3a7586dc1aa0d5b9b

SHA512
6d96351c3768ca72d1fd088c1b2751ed91552c23959518eab9c2647b9531e8884ffdeca878db1f5e8b2a5538755c937c238570a7ef89e6e9024b54f77468c47b

Download Submit
\Windows\System32\wbengine.exe

Filesize
659KB

MD5
e8f8402f1f32cde245753305e06df847

SHA1
1b4323f5aaea62c875b89f64581d40beb4ec245e

SHA256
cc6c63441abe1bbd6e56d3a6063a98b255910605c9b686d1020c86d018615cba

SHA512
9c4952ebe098ef97f9ad5647523177c479694c47b19d340d7bae217bcd7b511e57978988d85f131bc5170daf25ac1b0160ff771623c0b304613bdc0c644c99ce

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
244KB

MD5
4d04bc308f28552d90ccc48f909e894d

SHA1
d54c6230ff4f748519e70c3ca0a8f6035f59a003

SHA256
1aaf4a000ba86fda08322dea6e8bb278ad5737b419f698c24f1ef4cecc638e14

SHA512
5359ccea854fe938ef60ae0f06ed47c1a9b59cd0b747f9db4a4abc93a1e5a3fb04cc42db85cc4b307a5ff5ec60a3d9e97eaec4fcf0521bb70f49c3b8694e2b40

Download Submit
\Windows\ehome\ehsched.exe

Filesize
124KB

MD5
e56534b48be0d605315285efba327c36

SHA1
9ae81b9a13d3c04b2e467ca12225f875cf8f292a

SHA256
642409fe87543375c4c608bb069e1cec032811cf32a74633287a90c4d2742d16

SHA512
7aad683eeba0e8c67b963ee032741a63b77bf2c5ece964b16898abf671b5d1a88aae6b8bda68480e63f41ef1f4c99245eeaf1a0bf324dee071a311bb3e472699

Download Submit
memory/576-142-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/576-200-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/576-150-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/576-149-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/780-359-0x0000000100000000-0x00000001001F5000-memory.dmp

Filesize
2.0MB

Download
memory/832-189-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/832-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/832-265-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/832-196-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/956-215-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/956-216-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1160-212-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1160-235-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1160-214-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

Filesize
9.6MB

Download
memory/1160-309-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1160-271-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

Filesize
9.6MB

Download
memory/1160-211-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

Filesize
9.6MB

Download
memory/1160-279-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1160-281-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

Filesize
9.6MB

Download
memory/1296-325-0x0000000000170000-0x00000000001D7000-memory.dmp

Filesize
412KB

Download
memory/1296-317-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1516-311-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1516-305-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1516-310-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1516-314-0x0000000073FD8000-0x0000000073FED000-memory.dmp

Filesize
84KB

Download
memory/1516-357-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1616-295-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1616-226-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/1616-223-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1620-119-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/1820-346-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/1820-353-0x0000000000150000-0x00000000001B0000-memory.dmp

Filesize
384KB

Download
memory/1852-289-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1852-296-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1852-344-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/2004-13-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2004-164-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2004-18-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2004-57-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2012-173-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2012-183-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2012-178-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2012-241-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2016-339-0x0000000000150000-0x00000000001B0000-memory.dmp

Filesize
384KB

Download
memory/2016-336-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2272-242-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2272-248-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/2272-233-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2272-247-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2468-148-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2468-0-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2468-6-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2468-7-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2468-3-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2524-185-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2524-166-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2524-177-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2524-175-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2524-218-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2524-159-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2524-168-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2612-176-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2612-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2712-273-0x0000000000580000-0x0000000000713000-memory.dmp

Filesize
1.6MB

Download
memory/2712-266-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2712-334-0x0000000000580000-0x0000000000713000-memory.dmp

Filesize
1.6MB

Download
memory/2712-282-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2712-323-0x0000000100000000-0x0000000100193000-memory.dmp

Filesize
1.6MB

Download
memory/2732-125-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2732-198-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2732-126-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2732-131-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2756-253-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2756-313-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2756-260-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3004-99-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/3004-116-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/3004-105-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/3004-98-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download