8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
Size

1.8MB
MD5

c6e1ff5aa4bb1cb761d74da3a3989136
SHA1

9c460bab68e81fe8885ddcc7c5a2e86743c183e6
SHA256

8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867
SHA512

89c7ea9b16f5c29ced26e2d2357ee704ebe5a131b61b1d011d4edb431d3f9e4ca5756e5959a9a2e88e0b40fd1a90b6b6a83c78da427ad2ac13d71e4296074ec1
SSDEEP

49152:IKJ0WR7AFPyyiSruXKpk3WFDL9zxnS5ZDH40ZjLS8:IKlBAFPydSS6W6X9ln4DHrz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
476	Process not Found
2080	alg.exe
1724	aspnet_state.exe
2852	mscorsvw.exe
1564	mscorsvw.exe
1620	mscorsvw.exe
2444	mscorsvw.exe
3036	ehRecvr.exe
2020	ehsched.exe

Loads dropped DLL 4 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Windows\System32\alg.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1698a9b48a0c1054.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_es.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleCrashHandler64.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_cs.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_te.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_bn.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ta.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_iw.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_lt.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_sv.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_sw.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ar.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_it.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_hu.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_pt-PT.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_sl.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_zh-TW.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_bg.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ca.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT2463.tmp	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_hr.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\psuser.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_el.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_fi.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_sk.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_th.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_zh-CN.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdate.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleCrashHandler.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdateSetup.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_is.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ml.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ro.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdateBroker.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdateComRegisterShell64.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_sr.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ur.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_de.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_fr.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_nl.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_id.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ja.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_no.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_vi.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdate.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdateOnDemand.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ru.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_tr.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_uk.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdateSetup.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_fa.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_kn.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_fil.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_pt-BR.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_en.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_en-GB.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_lv.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_am.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_da.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ko.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_ms.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\GoogleUpdateCore.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_hi.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\psuser_64.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2462.tmp\goopdateres_et.dll	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2296	8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2444	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe
"C:\Users\Admin\AppData\Local\Temp\8fd070168d5ac67741f1e1367be59b32ea743e93da77601ad59bc66a70f11867.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 23c -NGENProcess 230 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 230 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 268 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 230 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 274 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 278 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 230 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 280 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 230 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 280 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1dc -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1dc -NGENProcess 294 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1dc -NGENProcess 274 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1dc -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1dc -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 25c -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 270 -NGENProcess 24c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 27c -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 28c -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a0 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 278 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 2a4 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 2ac -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b0 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 2bc -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 248 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 29c -NGENProcess 2d4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 29c -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 25c -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2ec -NGENProcess 29c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f4 -NGENProcess 2c4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2d8 -NGENProcess 1a4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1f0 -NGENProcess 2d0 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 29c -NGENProcess 300 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 364 -NGENProcess 35c -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 29c -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 29c -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 370 -NGENProcess 29c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 370 -NGENProcess 368 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2ec -NGENProcess 374 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 2ec -NGENProcess 2f4 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 2ec -NGENProcess 350 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2ec -NGENProcess 364 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 364 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 364 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 350 -NGENProcess 38c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 350 -NGENProcess 29c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 388 -NGENProcess 394 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 388 -NGENProcess 378 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 390 -NGENProcess 39c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 390 -NGENProcess 37c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 39c -NGENProcess 364 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 39c -NGENProcess 37c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1644

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2852

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:2380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2908

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:2928

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:960

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:1908

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2500

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1992

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
101KB

MD5
69f01c064f9899567b22f05243c8b39c

SHA1
654229bf8c2353d66ba66ecc6a0bf80031241c92

SHA256
5f62a8b7a3cf8ceb1c8f78ba41d627114c999b46fb8703c9506a95e8385c0ef8

SHA512
704e7dbee2bce22ab9a9183fd251c9fa38cc84b59a4366eca0b34831b08672ee7a5319d6b4917ba02fd5b7e36ba599dcd80209fe0cc89b08ec405eb06ba0ac55

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
89KB

MD5
dd6228e124a0d948b0e9928ff873107e

SHA1
d935143ef12113503f337bd71371464defa529d5

SHA256
b02612d62f6e6d7ef54618a6fdb23a35417a26894d647ee646bc1ff87a3585da

SHA512
80c5560098eb847440bc91cb147ea1977690abaf53880276de79d8d9df539dd7c1a507a2fc312d66d0b95330202bb7931ad03d24d9cbba9b496450878a2e1fdd

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
59KB

MD5
59d6b992e768d6c89470b22348cfa72e

SHA1
ed4ece183835f1c98245fa74c8f8cdd99a9c88dc

SHA256
fa5da1cb39d50dd377ee425a39297d047bc90731816dd8931fef0424ee735a7f

SHA512
bf48890f75cb2024f5bd36c835b2ba3b1d9e83017b2fad26f5b93546632ceaa883c6eef7cc3cfe11bab5342b708c116b0599a2d89596b2fbf156f24ef076e8f5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
113KB

MD5
ecfdfeede90d0b044175dbb76effad87

SHA1
a82b8bed7b53d470049d7d2ec972512b14479803

SHA256
9ee163c2a50b8bf1e1b0bcc6e905a0c27c6648eb05f08dfe8e296e01aad1c251

SHA512
e9a1e75fde19cfd02b3fdde9c5c34a4620c62fe2d1c3f825cb4e99925d20913d748650fe8aad1f9dd6af4ec4361bb1189015264a8c20f7b2ba2ed21e71e526c2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
2KB

MD5
e433c2118b23260c88bcac90cf74bd5d

SHA1
1e3802e880b0a5b9d05459598987d43330d7c3c4

SHA256
40cfdd0a3c9f7f1bb7af4e0f8405df3f12754116aa6305a421f66fa0e4626d60

SHA512
b78e0f959a2f052213c8a91cab77814ace6f15bfc2939c7da36cc4f13bc45bd2d3c3b9c2c4ab58ebb70ed72b0974cab63a09a73392652a88e3f81d1a63da6661

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
46KB

MD5
f646d12bf8b7ce59f576fcd7f1ab7e63

SHA1
8bd22c91338e510a0b36d2d0c490a9e11e35c74b

SHA256
40bcc4f680ad0f8b924e50615b1e743db18eb238b2b1fa402ab4936f77db7a06

SHA512
b6505e7532610af859e615f7e9922c6d75b33eb4f3d754113765eddbec883fbe4a2e0d9c920e8f2aa86863a26749f19b55d389fc3c94eebe9145f36edda985b1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
61KB

MD5
c5c2eb0ffb0aeb8c051583e9a9737a86

SHA1
82f7cb6947280035098a959f92bbe37a6ef46a1a

SHA256
7e6f4d4360c801b2ccf26334b6e0e71447c8b243bbc0c391d717086629c300be

SHA512
70e35c5b8d074e5f130851feb40763d13ed7a903b7842e01463123a2ce69f361fe047a5f000a8b8c606ea6c72f2f474542bcc33bab3b8c487ec18c7747afa92f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
31KB

MD5
f14e3b75eca896b5c50e9f6642a23031

SHA1
4774b11672d57e7d88dfca3db436a4b0fab115b2

SHA256
a566ac449f0f3bfda37708399c17c7e7528d9bb724894048eda69d3dc3b325dd

SHA512
c5cfeccf6cbf60a9655290dffbbf93250f54bf3e9cec82541597b732f9cb50328a4a33d81c25351a17468e98ac9304a68959e62f42d18355610d69a9e02a49c6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
75KB

MD5
26a93d579c5d817fbb08b608f1b14430

SHA1
d52f390a429b9bbce1ee31cb6c55178249e4b60f

SHA256
94eccd4de12cb1ba65c2b9176c1763ebe1cc1a711a5a076362b2cacb17e31a14

SHA512
cb2605461c45d33521481a0ab93d0b7c301e495576ad0b5c3a48841947ca4defda2fc9738972c0bc26964a6891e7677ddc989faa7cc64538c76d0a45f1f35601

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
22KB

MD5
df1c520f0ff36ed11eb07d3ccadc435c

SHA1
0e37639ff40af54e59d95a2b681a0a6c6e6ec035

SHA256
f2c6767a07aa732e2b4ff839f87264abce93a107351ae45e6166576f301e5347

SHA512
35ab653192136893a7a33164f72c3dc02586b9e998806a079ee605c305f676cec9ec980b86e0f87a755a4763b8d602b87a14365a9b94436fc84aad286457f15e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
44KB

MD5
e86c141f16b34172f2f72af24d6a2b99

SHA1
5f428747ecead7de9de9adda9d506f227f48ee05

SHA256
6b0c98d86dbb29b8f6dd9464ff87acb0d71246a06f595ff2e6ccd70c86bf1533

SHA512
0b7365059aff7914df74028c74eb3eb9c10ac60e912bf52a039492718697c41af7a04044fd3fcffd7cdce5ca4e1bb616321549e615e67782b1158016c03c1066

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
25KB

MD5
2b9960670f97e27a42964e8fde428092

SHA1
5f4120d1c8dc5a0746f76b65f701d6c921cc5a54

SHA256
b5e0a203b0b51d723c3718efa712f8d5764a21da5f921cbb807673bfccdca83d

SHA512
249eecff73f0ae233200dbe4c4bf26f7ea397c989ac4136a77779be25ceaedd14985980629d1442a3647d9da5824bdf693fbf51194f8633b3e4dd99a97fd339c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
39KB

MD5
644e10f242944ca9f7c76d15cb835d35

SHA1
dd2f41d068b3b59d01e2dfd96de475dba8fa1aa8

SHA256
1f6b1470935a9a6de296f2d7ec5606dd2fee90baff287354fe05a325ae94dc37

SHA512
e51cebe8f19d1a27f519e19320996295cb2facc0c994c7c54b34a2e6f6cdbdc0f0be1a1dc0202cd6b702ceacd58f40eb23438a0f34bd2988a8b1ec0d68c04b29

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
74KB

MD5
79ef9f12e393d5a90aec41e7ca126573

SHA1
b47fd57440215408a4109eb4934e8e6d2a4f1342

SHA256
952687f4f133a5db1a784ac874aaf9c9cbd988e27b849915db7694697f481999

SHA512
dda9b45ad51297a662aaa85a1fdd692310489f22fe6c273e467de8458f398ef68b6e4a10a0fdb348f4d160f4f7c1928bcd037f75cae5873ca5600a4c0082d422

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
21KB

MD5
04c64f79c846c866e76528cefc39fe69

SHA1
81410eb1ed4a4295b5b915af2a3086f10f89134c

SHA256
690c8bc85f45b196eccfbbf027a02f49d2c2e143b224521b18587e8cd9074b05

SHA512
69d3266fc852b0d7e42a73130c16354de8cc91161c68e335e66eae8fc0a16fbae4d4dcbfc412ac5c46e066af37a143a880d58306ac25b7044145d3d224609c0c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
51KB

MD5
bbe778c2c3a5a2b368f9fe06d5dfc976

SHA1
1bb94a6a9628c62a93a1a0983c0e874b9add2f58

SHA256
4d203b281adce7d5134c3a2d330103ef6c982c63f030bc379e5d7144ee8e5e88

SHA512
aed8aa86366d0a821c7b68bf9b2b69b095cd6947f20b8317729456ef63adaf07fa6b0d3e914ca640844f4459f2c50e9afebd1fb7c046570de9c68ea726b5ed17

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
25KB

MD5
d5f8ab91af313e766fbd3d7c2572dbc4

SHA1
716618775e21a0d219894e70d592b0f7dd8f72ca

SHA256
83951a79bb82b69d14d5da94053b26e581dd290f10ed8228d9a949c5179ed84a

SHA512
3deb73f5d29fe7ff797123817a202835be43af2350b174168ffb58c767db98b127ce91aa09a6a5a7a718df6ef0a30c40b12e2dd05ac74a73797ceae3998d77da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
fb77756575c42a783ccc23c7d570806f

SHA1
c5b575574718251b5ad3c6b59cc031b91fba7c2d

SHA256
ffbd5d48b6e4df368a6c58dd32316a7762cab1268820ec4bd14406dfeabcc34b

SHA512
2e4bb8e36ed6d9b6babf3713988f54d0e8329d177b77c6deba91916d6588b552de15f883d619d18ba7698853cd20f6b23bfaf6f0b7edcfbb7f05cb63e58a08fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
50KB

MD5
82f219cd65f9e2dbf14a630df534028f

SHA1
b8c2e2e1d80fdc5e85341e4fc0c9fa2199867ed3

SHA256
bdb159480b117457e32f0c8ccd4c69d3eb53034ac1a3bafbc5037188b4df0329

SHA512
5b0149edf13c3f0644bf58179b0fcd73bff0a460d662959fc989568fadee5b598d4f8d9e2619dd5a3ec6f7ceb9fdd1950771e2268950d345f7e0a2e9dc755bca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
d7f9c8fe66a1a6dc1529d16fee3f70b2

SHA1
19ab1266c81f41cb59539fa90550f10fe119b741

SHA256
7584a586ddeb3ffd881cbbb2609e906b0a272042328db9ca0a8fea7bc1a9e283

SHA512
2030605471639a19f08a15ed4b774f90d7eb77c19a6ffbbcd24df0901e3ad4fff2a7cba9cf79aae799cd74407c9b63071237bb1e7da3194e0774195fc50ec95f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b2329e3e763f840d1b19c3b056f96254

SHA1
f9890443f53c6118730222bffcfc9d9a16ce0a42

SHA256
6746b5a37be8f9bd24323cd6b5f76490db0b173c991771c1568c1ce9ca5fa404

SHA512
f716304ca88de5d6f231c97a36f2f6555fc1fb66abd803890b5cd5fdc0c75446879b6ab288862ebcc0b29783e806750b653bc5b01d44c38aed8b7ab34341e3d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
34KB

MD5
fb60cb63b8c7152e0c8e8f4624696683

SHA1
2371f524f75a2a9fc9edc04d27450a9ea6d7f0fc

SHA256
3371fdda8b2484f07e858af0b3ebb282232957bf7921db6025aaa32bdba6cd20

SHA512
92fea5fc3e1df0c747878ea53d148eaa1f73a3a4ba440c2140cdefb6b424e22476dc38765c3315db959fe5f0431397ff3922a8830e03a2223a2e71dfe917534e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
68KB

MD5
8f4c495703febf3a2a81f7a0935c549d

SHA1
8a991cce430990cf172c39801d1b95a8b5c404a7

SHA256
053b4e010b7822e561e7c67ed47661f875e0342c68dcba7865ce6817b4efe05a

SHA512
ed5f9721887e7570df410a42dc3bf8b09b6d114916cdffa8df4a71d47e8051ab209593202767fe91b1fbf017373be60fb1ccd663d01b43071346b03c05aeb7bc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
116KB

MD5
5f6b24aeea14caf2c01cd3cf8685bf5c

SHA1
a5d49dac2e4f33422ce4b3446ec6b6e0abec510c

SHA256
1551506b8cea3c2258b8fd1a645cde667b412a36cc468132b49884ac09881430

SHA512
f33d86a419a0bfbeb83206d859f0eb543b692e124d1acf316b5db65e1ef3ea18e1c932e14ae4203b72f16144935b94aff468507065a4361770ca82e07ba60149

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
60KB

MD5
01c8a546fe906b2dbe9c49de61c68413

SHA1
a4424e3f128420a250ea3fbc7cabb129bd26f4bc

SHA256
92012ed23bd6bdd89357ad53304525dd766265a88f3ff57268c55db01441a800

SHA512
2ebf1d57256ae0f92c08e993cf53f1aa1430f483212d711796df6a7caef5a3775103a51ca43e04806aa79807611d28d84b60158bca101e8e667992793c60a919

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
155KB

MD5
1d399f42bc826826f3d2dfd71745b44b

SHA1
5d039b011af85d61f48bd188e85d619ff16d4b3f

SHA256
848005cd202bb9f01a4fb5e2b67453d7ecc8c7be8668140779914ea1cfb1ade3

SHA512
5eaf2378b62e9f35c082db54189e6238ca69f8b13ad209aa477cb4a8322807a4790e9e507fb59f40f08061983f49afee1629cd052058d3311b8d1c5df1cd3908

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
65e7cecb4b32d8754daf9b7794dac3b5

SHA1
49c79f9362c7e885b43489b7eed24af61f730085

SHA256
034dccd539cdbcaa0b37e4035ea66dba491f2af9ce404550e622a322ebd39485

SHA512
2988774fc3190f20f2c12edf685eaef468b5d4a160c210fe60403b9180330931652b277c8db78541249d1d8d83b7dd363903d89d6aa6ae31f1410963d84e500b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
18KB

MD5
69e61ec4d1c77ef56dbd0f240666489d

SHA1
da87af96a4b4d6e60688009d76a55a711f84d5a0

SHA256
a8c47fbf959d140542048e69a0db3fc016ed70f452460749b04c1fe655e3339e

SHA512
9628bce6ee4380961809725c8da632d780b821b25343ece3176c01398d44ad3792947a621028615320d849b6f890acd3e4e5c0d588c0dac3704c2a7e92354d40

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
44KB

MD5
27e6612a91848cea3d05e59606a7bd69

SHA1
70913ce7b3fc8b20117e05066a3b83216b96a542

SHA256
27412d344bd269cd4196d3708d3befd2b57f030a22851fd999272c8b28cdf0dd

SHA512
cc17405e259efd32a5d37a5f08e9ce52e68a4c16d9b9cf8add903a86ef8b617c7527f1db48c647150fb82a3634fbdac630c4f4b7105fbd64d274910be2b7ab4f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
24KB

MD5
8eb66a07d78cb8bb75911e8ae8d75aeb

SHA1
daff4394564b75fa857150b581a558ebf81d1349

SHA256
5e6412393a7f7e8f428e1361d164d07fef1ac5d846d1c334ff56fd9e7814f850

SHA512
e6ead98006254a67919bbf49338073614d68da150a263232fe701e765fbfa3050764d1fbe3027ea4e418656a43c8c8dac3c2d2385b7f29c1429e5bd3732f0041

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
9KB

MD5
c6531858bc53d1b9c6949a0055b19e33

SHA1
3211360cb0091e6d3ec4c7940d6dab2a9dfbc18b

SHA256
d77276f0013d6d49cbf9636630add1ad88b3ed61d1dd48b6ff848275e3c74b83

SHA512
76719a96359895f1334c8afac2472b3360e784c546d28997537bca164a639ac0e221ce6f28c0538e1cf22334a96fa5fe88d6c7929694b74d5e556cdd01bb780d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
4KB

MD5
7e2229be756595b1c61998d48d524cbd

SHA1
8cfb8b02ca80cee057df5a506428ff48fb34f5d1

SHA256
a5df12c54e28c3ecb4f993f83ab5cea894b327dbfc69ec093dbd44c5b80fc4f7

SHA512
fe2772ed8dec5612d584ca0c48e1fb0f12b93df87c1bb8cdc75181db7267b1141d1d06436394f4bb6c601350067eb0e1976d2f2b26822d8ce0e408589efa87ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
17KB

MD5
25fe0571c36c0abd7d829c0cd0f0466f

SHA1
90ca349bd9f755e4a7ec89e62bc15a5f81a241c3

SHA256
0e4878c734d09ab8ddb10d865d4525fe70dfee4393bd5d473b24c882f7d29707

SHA512
fe1ba88d81374da659742182ef2f279980117cb019b09836d2da3b3dcb540b8f22fab6689f584683e6ba8664a9ae6f68d506f0c4a0fb0c945fc0c95def6c7fd4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
15KB

MD5
4481ede19b294fd71cad373a7999f45d

SHA1
2d06c465f76d2631608b2487eaa597d050404bba

SHA256
241fcfbe6bb2d166dc313c1eec5042e71306737431d9284ba6b0bedf4a2e1c02

SHA512
40a064168cbdec2e57265e5f77499c820e0881cf2375e4e970a1bd2f17b3ac1a90391d8d8d334f68554bc7a0eb14d159a45f11effd68a1c94ab4e90f4d4310c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
29KB

MD5
3a2672caf6709f5f595b69a58e52a0c3

SHA1
6e5a36eda3c75f00a655336a08591dde1c21aced

SHA256
0036aa8f10701473871844913f1c97c2321263469ee204c005f16b22e2a0b16c

SHA512
35227790a7ea0aa2d9e1ab52394556ef3bf5bcf9bb14f6117868f3e0f89a7c6e5177e9a679dc84a4f8f46bf21282f76355dd9a1f8ca8e4eff1745e1be1f0139d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
41KB

MD5
2d074777c260df7b1e910dd0e2eaa1de

SHA1
5bbb127029872de3a8252d45a31d087f8f6ed4d3

SHA256
6c8a40aed3aaebeb6615aef3c03a8db7f2a101051a6aabf4c72bbf288fcae2b2

SHA512
d7cf7baeef172809bcb3a3deb5f52e5be57614de5255e93c537f3d2906159bfb36ebecaf836d1694c69535105cbed49c1ffcc32bfb9e4d00b5c47277b7e1646b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
12KB

MD5
d5191c19031877503892d1c41c47a7fb

SHA1
26e831f5d41ae6f14d8f78335272192e32f7d2ff

SHA256
e73f50b4f33ea8330b2e383aa0db702c01aa014fc5457cd97b99a9a658b040a7

SHA512
2e6cd5c48d1a676567d38346d101c520e2c8dabe8b4ab4f93789979a1c63d5ae634016caac5c4c9e44ad7c5c3caf8a7b11f8a96b41508599b5648e3e8a0fd16e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
24KB

MD5
fe3b7b09a74ad76c6b06b0446da59868

SHA1
9b62d66815fd17d876b272596b14ccc01f37c78a

SHA256
1165e68d4e1f0240eaf16e482a0fed888f4145ac2b0d9d25be9a2647b53c6277

SHA512
c98b172eb907bf76f238067ec08c288451067adb0d10e4366ea3a714610f467b3df462ed30ad459587bea4d32dc1bef0556d84eedeb9485c24b2c9a1539b781e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
6KB

MD5
72d03bf550e1f83cb72b61b77d21994c

SHA1
909cb0014729cbabeceb2f7188c7bb666e064600

SHA256
ecfc177fe62ae5fe07c52d6aa18e901821bb96f21bad75e9d437291926cad8ea

SHA512
0bf53374e980f1bc55e66e9803e5009b2171f185a847e8a4f16a72fa0df0f6ac02d65862b21ff314867a4ea043e18b38d2f16ee7b759aa2c2ed928fade3f209f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
16KB

MD5
08433964c189524149f8293b563089f9

SHA1
4fb323c25657a33159c3c0961a434add5efbf8ef

SHA256
f03e7007b68fc1025c18869d78f80b7c0dfb39384fdf5d0784651368b2217fe3

SHA512
5159ac66371834e8f567d9b0e57795e83d8a9a72b428d917c0e4ddd1cd3c99ce3489d738f174832316625d6579ec11eb970d7fb3e9fb99f9e3d2285baea68209

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
71KB

MD5
c8a264ae7e512d04d49cada32eed4e01

SHA1
a2ab6ada2cdc1e70ef699b0d3d65ffd8c14db6c0

SHA256
19b6ab7948ef27dc28d17d460bd4b4b1aff06c24a504091eb2645c76090023b5

SHA512
2ad3000ed78520d739025c16a69146d3986c052590a16f72b462ebbc2764d10dd01219ab636d460edded382b2cf13b2646f815e680d142b86a17f7f126794364

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
20KB

MD5
b7f32805b723fd1e711b7435d60944ab

SHA1
8c1632f775ed7068148f598c36406d00aa18df25

SHA256
2a150fddecd08788002894ba43abf8a02274172b017613c9a81228c588bf2df4

SHA512
9393fc863d1df821b44a0ecfcb8dda686de6c98648396f55245b5d21edce29d47d5ece31145d5b16b074fe9ba9462b41dd723fecd20497f207dc880e585a4b94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
144KB

MD5
eb3226c8054d2435acf708b5cc157906

SHA1
1d161c70ec596b66b332b35f192cff991e96a54b

SHA256
237ff1dc41c034b2c6aa4def7a0cc81489138a8d0b57636f81fe6eef37a71367

SHA512
53c17e77a26de369ad122d52ea2abc841a14ca7a0050e95e70ac93e663d9ed79badd6ebc533d76f76a48dbd62d8e729488df9f6c8b337af2cbbb15161f294d7f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
10KB

MD5
0b5d08e0537d99addc9a791afba0a96e

SHA1
67126125f2e878ba3a895873ca1b959af518aa11

SHA256
ef02bbc2a349c2541157fbb43cea3493e880a14a38b14ee1d87b9b151f9d2f3b

SHA512
ce98843f4b4a8415222e0b0c38c56bfd6f705939addc42e40b1de3a7e3879aff7bf53ad64e587310d639d9b4792b73016d18a277d56296f4f4ba75e3a5840b0c

Download Submit
C:\Windows\System32\alg.exe

Filesize
62KB

MD5
91bcdcbceda970b85f675250a0574eca

SHA1
a00f6af58e81b2d4e7ccefafdc07db6f9dbe5094

SHA256
1db27c963e75ece26c51a043f0a75d5430603550fdee9923ad272235ecc7dbfe

SHA512
8740c2f33424cfcfa5bef029e982e5acdc0452d4462aec7695bb43c6c3dad85cd95b4b34e5a8fb22ec29148c8984cf5c5e8f5f8813d03a7f95e9bc80620861ba

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
31KB

MD5
0cba9f8c5bd95fbd38833e893a4e68ff

SHA1
5f56850476647182ba1b603d5154fe87a1876bf5

SHA256
32135f5c7cf86392a2fa9185a8af3490ddf4459c2c37fe00cde2c1c3ca3c6573

SHA512
02419bda180110fe990aab7d83a5060c9b81954b08da71b71db58220bec040e02cfa53b54d425374d827ff9931bc858b6c9e52b9da6eadcf3bbacfdef98e76f2

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
46KB

MD5
f7f27ff9ad016c4ae7433d18b6c1b3b4

SHA1
1d066b27ddce4e1e70a08aadcddfe13653784e34

SHA256
1cccdeb65619b6e798f757fd5b7926acec221459fca00a2508759c2024d166ca

SHA512
3be31e48a467b7891eaad90937b8f704558cf629f191cfed095490a1a7b335f33165858d87c86dea72b3e6bccbee32fa6fa8f6801e9e2fa08527879e3d344285

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
44KB

MD5
cb315280e5cd6aad845f5026c3bb7827

SHA1
aa7fdd3590d553301ed362e4ba37ce1ac07c305a

SHA256
d5f7bfc54d23cee2800ee8112a4c53df86f2dcf171fe190659a6996be64fcb7c

SHA512
76f17bbcac5428bca1f8dcda0b9a861e0066f464551018ec0dd1f71eb93e2352b4b1a5c676ad1a53676d9c1d2ae75168f2733b8f20c20566053e5884338b49d6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
61KB

MD5
a258903cb3fbbdd357e46f8418402373

SHA1
82df49010578b6476c9912458a45bb41e41384a9

SHA256
fb22c4f3bca28520b9240bdcae51a5877fc417866702694e39c7a089dd56210f

SHA512
245ba6fa88eb481a2bb18d1dc42a546933be2626f55568349cfe73f43c76e9100ed645f39d08096354ff5920cb14414d09e92b1570cdc8219db56af918305971

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
54KB

MD5
6a3dab2c7ee512e0dc0c1e6b2c6dfb54

SHA1
db643fe60fbd46cd69faeabe0d593134e1309e4a

SHA256
78bdcd5a2ccfad48f97327fbcb96805259eda55694bdd22efb742287bd96884d

SHA512
00036fd4711dcef9d23737af79a475dcced226b757dbe8d59427c52a26989e58c443b9651c456ee88126a40c2707b208c3fbd6be51aab4772c980c5852cc2dde

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
74KB

MD5
9d407d3c3b0400254b59672acd2fda10

SHA1
dd7c40ecbe2cf17c1f2e3d481dc061c6be89e045

SHA256
a36ac0768bccb1602edb6ffdf9cb526bdf63742ae7642b89f990f1857d230e83

SHA512
f416863a6c9630130a610222603b13f4e6ec7ec9efcca4bb7ed767f7c9cc6b11be6fc373875ecfa3209756cad61e029418eb1859f212e394e4515fa841ff386f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\64ca03e67a9123aee77a21e9739bcfc8\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2794c2636ea21cd540977b68d283d002

SHA1
a076ac9949b369d8fc51252c5f643e0006158375

SHA256
0db3f9e0378919e77c9b0188cb435000a8ba62a640c5814d29b203122f4f0ba3

SHA512
88aabe4048adbd2e6b67a347cd5f00196394b3dfac0b8d808534496c791a58ed626e140e24d0ee272c7abc1bda38fe19b9deeab27ca42ed44cae842b509f3782

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
26KB

MD5
358e85eca1baceb8bb0930f191927b49

SHA1
46f86eefe64e221f26ba624ce8203b86d5cc886b

SHA256
0dc4d3a378fab09e9dfdcfdfa34d00d94ca93610aac3a9d58a421884bfa18c01

SHA512
370205172ad7cfe33bab5e74a0a87ec38d709d457f381fd932138833a0b6160c4ffe3a250fcd6292360ab795686346b6f22e7b9e7a73b5a386e78b2717750480

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
15KB

MD5
75e6f2d67c96843a9147072d568df946

SHA1
bb61a6e1f38fb3274341fdbc419122cd19434f85

SHA256
1023fa654f5ba1748ef564628a5e5d186695f4f73e72a256810b338a48bf0cf4

SHA512
798885fbc007a569362173eb293aea7f7cd65749e4f1d5a7514623b7be572676432bbfb6f74344b0a672420623148998a73b7d055d4c22371cef8e497639a766

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9f985dd12e81a9faf2091b16ee3e1088\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
169d69987122c36777ce6747e4f62f93

SHA1
4130d993c6864c79b1913f9f56c9e77bbbe73fb5

SHA256
059f886d7e8d398bc79daf9700aa2f2caacebefb261bfe72fe5638b0f88ce932

SHA512
9755ef4791fc5f2222d62af1489186e79a4be0a8624f6869a012567ab4cafbcd6c60294b4a3adfd81b9624415a4575ac04a708383724fd8dd641f2eec7f6a059

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
45KB

MD5
f21ae461a81526929f894a9470780aec

SHA1
987e799149d726300dab5c0db508a69d3490dfdd

SHA256
8168f6e4975abf064bf19a96f4cc9033d45b16f921e20716363ef64fc8e2df15

SHA512
febc0fe1540ae6026534cc33dc36ef091d11bad563dbf2f42a328265a2ede80793d3256a7dfb98149d19c232fd9789675e0a94b21c2c02db7455a7bdc04824d5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
78KB

MD5
f73dc3ccbaf9a6c32f5ca6a530fcd433

SHA1
e3ed3837e24f17843256b3f6da3af658e13f9029

SHA256
b6a722ec180fa112ad3fed4a16d26c532ee1a366bcf6790ee78c2ca423fad707

SHA512
01def3f220f49190b1bcda39921aaafc9f9e3d968819bbb0701ef76847e7335e375c8bae44fccbb93d8108f61954e83c99ab2a3d64e6b7ff7764c648261f21fd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e067c52aa5fc80c7cb1a13a4d76d9350\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
281KB

MD5
dc99711163f0a6ab017bd46a4ac72dab

SHA1
6ba35bf62aa99f33f8a303edbfa74b1cc730f775

SHA256
89bfbd50733fbcee3873ca633f2c329c2c00a844a03004bb97c47bd8e0152a2c

SHA512
ed2ac7c5a954ba043b524fac17762aca754ba360a9a983d93ce2c7ef21a0e20929f6216ed64c9a6e1be2bda52cf279d046b2f57d1459c1121aefb663c77d2339

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e9c5c6da636ecea7929e337b3c551496\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
181KB

MD5
d0f730ba2446f36d868de7c7a023b3c6

SHA1
c1f770f6c3000abcdb8deb0ca567f4c4fc45406f

SHA256
a14bdf5a7adf2281ceb6da145992a559b904c5d0c8ce8a43d306908dae4eed12

SHA512
be8d484e28f0b91fd472f6aaccea661e3196ed0c788d389a9fdc177fd149c2da4b40cff14334b605bbe34a89a97b96bd7ea3cc85bdeaaa0cc9dd8983836ef1e6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
282KB

MD5
3b750dfd6ff5c55f7725fbfeb1de88c2

SHA1
f55dae9eb524529ae5eba79fb089c341d870ecc2

SHA256
eefbfaa83131f6ce145ab3633a1afb57873f5bad5e1246e89a6189c80e2be777

SHA512
c1935bfee83dabae2c14cc4b68e9c9d0030ebb763703a64b1c1fb71843a89392c20803aa676b2449a785e41a357b7705dae80caf6d8939c4eb74c3b60cd1bacb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
16KB

MD5
864d9db1b2285df61090be11388d4ca9

SHA1
54e0921ca4cf4f6ae37d51602d9ac70650c55670

SHA256
1af1217d7fbc00eb96c8f952bdf0162d2ea61c75687c20f293b964313a420052

SHA512
e5b1cf1a9e32e79dd95a958751564927ab1075eb236a09d78bf1aac36c1345b7b321613ca3499bb3d5af1d6b252ba30dd86efbf256212b5a90f95ed546ff3fb7

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
170KB

MD5
bf897b2b7cb4fb18b26e975ca95aa0dc

SHA1
13e02360d31a6c77129a8dbe682c26b98243969d

SHA256
e0cfd3739d112bd3813c8dd02068791df4c5998729f0e0c7f3875df9a691b866

SHA512
5e82935a591ec8d8942472cd44dfbbade598c705217832e7e7aa1bb3107b6b01eb17e54569fec970e6fa7cea8492f89eafe6213e1758a5a08d579a0603185b7b

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
16KB

MD5
960e193098f6783195bbb1f09a6c3b68

SHA1
3f036a9d16fcfd8bc31570cf53a490d32ed0d3fb

SHA256
9a2ed1828f8b27690e43250636ac5728dc99f66709602e49541ac67b218a2c87

SHA512
cb39ec69361c334097ff59ef256c21816278f89a6c7bc239d59d0479418ad70595fb210861289a0803f32990103a93a9ca22b37d2e39a1ca69197ea0aafd27c4

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
80cc7bf1ee0353eeeb88874e6db9920b

SHA1
14320cafe099eeff972c6ec3374a0368136628ea

SHA256
1a6fe1d7be50b1179b9f93b4caa5e31e13fa103b4e79d0bec9189b929f3a1866

SHA512
8f7e48cfe11869ab7200b59af5bf99ab72c138749a94bdf6d6d31d96cecae376948ad30cb79a7901481c9e89083a7bb22d8f570ab926c0adb0857eb55722d121

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
75KB

MD5
1b1787100c432d2bbf39cf836ffe2563

SHA1
df4f5690ecb6f20ac149b85e680e1e25be19f810

SHA256
8c20f067f8510bae62c0ca7fcd5fe285e17a73d51067731a3e2caa8b807c0659

SHA512
3e7cefbf3071957699388bff0acc81b69be129b986ad7762fb4efec1f5cb0e3f9a1435fcf1bbf7aaac7c1363aa42879644a4973542442aff04aec9f5d49a14ef

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
92KB

MD5
117a01f507d4f035ef9a296eab4161c2

SHA1
e40096d956931fcd9e61d94b36f88e075eb8de41

SHA256
c4546c3fe9144eb76f7f0bf796d950999e918cb80b8322a591a3b361f26a5944

SHA512
fbcae3963ba02ae98e75d037acf24153b76c1165050ae3adcb95c386024d2e0311672561fa6191ee15e8ff66bda2df7bd5a30b832e7799f6fe61b724ddd31263

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
28KB

MD5
86b629d3c831d102e1119a57f7a3b9dd

SHA1
8649fbae516179f9d65fb5fd4fd98c1ec4184cf1

SHA256
605cf1f7f129b52274c6f06dbc5396eaf6ee82eec58f3474558b1bbe5d5d5a45

SHA512
c0432caa51cd255ef514b7b59d47d15705d0722ad6d3edfcf01322f23d7a86486db8aebe6b27984747ff313c03be960cdb776f02cbb363cd1af31af96afad95e

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
67KB

MD5
994660400f3cfc20c87a7c4d0455d56a

SHA1
3d42062230e690fcc3eb0bc7050bc002f47e85e7

SHA256
51a053fe2437291903c6f2c99a8964034757c4e3cc70213e383232dae2558901

SHA512
70fae3ca86573177fb239f49d8f1be80fdefadb55d2ab82a8b0ed5c0874e4464f65c7b15e9ea5de0f8d5fe9faf2d00316abeaeb066184868cfbb6505a450009e

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
99KB

MD5
30d03df58e3899b3589eb370c7fcf8e0

SHA1
8b0c5b02209958fda38d0d3fe37c3b9f9c979534

SHA256
aa0ad1bd1a0d848b7606beb218434db9e543c4b53ce6d7c6ecf5d3874869bd6c

SHA512
c6c75dfe855fa0e2eef6a83c8f92dfa99ebd4c38f3df0fdd6a19573f28258018ef773cb6cf57f92fdba2bce216823120bb0623a4927edc1e6c26084b9d86fb65

Download Submit
\Windows\System32\alg.exe

Filesize
120KB

MD5
d9d090f97f34641641fbc06e6423513f

SHA1
95bdb50f99bfbf216aec0eb76229159d5c4c4b65

SHA256
2e8489cfb57457dc1c85f475e401c7d8a90d62813e18beeab40e3ad5b54f54b4

SHA512
72321912bd2c83d0d318c7f93ae167dc459dad00e9985e3fe6673348dd17da23c227621b65b3297b8db41fd01abfaf320078144d85f896c51db60e0594d65ffc

Download Submit
\Windows\System32\dllhost.exe

Filesize
39KB

MD5
30b3573af9a6f4c5486d05df780a3893

SHA1
198caab075659102947a6d617dce50e8838eb7cb

SHA256
005d193733abe5a8106b75193837117f369b35f5994861e4451422160670790c

SHA512
790e69d238e990a730eef147ff03306adc982f67921824ffbc2941ac7b3dbb77f8c52f9ef4533e43b127989976296296da785795cae4e83da79404a205e5541e

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
51KB

MD5
7ff4d18890f5d9b710bf07c3ca235d4c

SHA1
8909ace93e07456854a8e5f7198332be8fb60fee

SHA256
e276da48bd67180186c583aad7945f68426f605f77609d6e1e939afd2474c1ca

SHA512
bc0e6cc7aecd1e95765034f4a11fbf149c257dfd7717476bb7e464748e50d213c682b9854b0dafe0971f128ad1f2d28b1fa1f55114852de69c0275719155bff0

Download Submit
\Windows\System32\msdtc.exe

Filesize
92KB

MD5
6e18136e63387bb9e0e5db28c9796b3d

SHA1
339d977a9de8ec0bf01f9c8f7799d0dcc27505ef

SHA256
2471627b282583e7c382b6e2b401030e9ccb321635c52eef341c8693c91fd2df

SHA512
f25824fc6b59afec99cfc5d5e83b39cba0d6c0adf3705c1d214e4903d8c26983de7c596c301899f71ad9b95e8db13c2dd7e5a24b2702c04997c97eba12687218

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
15KB

MD5
340afea84775b009a77a9879ad8fb8a2

SHA1
70990693292df14fac356441eee73a05bdfd1490

SHA256
771cabd66c9d3f2a29ef55ecd195724df2c89c26949210644fb43a3355523d3a

SHA512
4c8346b44393d53102b8454a4cd462109a2ebecdb3d3e6be2c3d0d5b6613d8824a0b3329c8c705b536db4e919ddaaec1f3bc15abf9ff0583c81a5c04bb8a1265

Download Submit
\Windows\ehome\ehsched.exe

Filesize
31KB

MD5
0758290ee3df7c99c93f8626a33ad77f

SHA1
61fee26edf700dc76c616920f1e0e69acd7543b4

SHA256
d485ba726e0d5a0d129a8f3451359743fc8a4ddfd3ab781d63575a5bca14bc30

SHA512
5ec5fa6ed039e11198c5269193baee48633341d3af5295f1d98a2a062e507d322c39cda5504e733de11aa8d1af6e406636f616ed483ef0fd05c158ba4357179c

Download Submit
memory/484-387-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/484-375-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/484-357-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/484-451-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/896-459-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/896-362-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/896-360-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/960-210-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/960-216-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/960-349-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1540-413-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1540-491-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-434-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1564-114-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1620-126-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-132-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1620-200-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-127-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1724-174-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1724-95-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1908-236-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1908-246-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1908-338-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1908-337-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1992-390-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1992-404-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1992-398-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2020-178-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2020-173-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2020-184-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2020-234-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2036-252-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2036-411-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2036-332-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2080-45-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2080-13-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2080-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2080-158-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2080-44-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2296-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-0-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2296-7-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2296-330-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-6-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2296-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2444-214-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2444-142-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2444-149-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2444-144-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2500-378-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2500-392-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2852-124-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2852-99-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2852-104-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2852-98-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2908-189-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2908-197-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2908-249-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2908-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2928-353-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-348-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2928-208-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2928-212-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-206-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-219-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2928-394-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2928-334-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-367-0x0000000000F70000-0x0000000000FF0000-memory.dmp

Filesize
512KB

Download
memory/2952-228-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2952-230-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2952-373-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/3036-159-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3036-175-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/3036-172-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/3036-243-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/3036-167-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/3036-221-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3036-160-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/3036-182-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download