9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
Size

1.8MB
MD5

2558bccb881ca1c72d1c544e1bd3c433
SHA1

d526f96cb78289b2d64ed6cb548d6ea2f49d3c4a
SHA256

9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2
SHA512

7395bc8e7864d7797521d9c2e577a918ce8282fc2c9387d0cd4b95eea3424fff1d872980ee896b41659fbd5dfab2940878a9360762d1f4e5690c75ec58b6bd2b
SSDEEP

49152:GKJ0WR7AFPyyiSruXKpk3WFDL9zxnSkMdFrIe78vH/:GKlBAFPydSS6W6X9lnsTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2972	alg.exe
1448	aspnet_state.exe
3036	mscorsvw.exe
1776	mscorsvw.exe
2036	mscorsvw.exe
1180	mscorsvw.exe
2632	ehRecvr.exe
2620	ehsched.exe
2108	dllhost.exe
2980	elevation_service.exe
2864	GROOVE.EXE
3024	maintenanceservice.exe
1088	OSE.EXE
2008	OSPPSVC.EXE
1044	mscorsvw.exe
2356	mscorsvw.exe
1748	mscorsvw.exe
2796	mscorsvw.exe
1680	mscorsvw.exe
1144	mscorsvw.exe
976	mscorsvw.exe
772	mscorsvw.exe
2684	mscorsvw.exe
2024	mscorsvw.exe
952	mscorsvw.exe
1460	mscorsvw.exe
2496	mscorsvw.exe
1224	mscorsvw.exe
940	mscorsvw.exe
3048	mscorsvw.exe
2148	mscorsvw.exe
2924	mscorsvw.exe
1728	mscorsvw.exe
3060	mscorsvw.exe
2388	mscorsvw.exe
2420	mscorsvw.exe
1808	mscorsvw.exe
1224	mscorsvw.exe
1556	mscorsvw.exe
700	mscorsvw.exe
2272	mscorsvw.exe
1104	mscorsvw.exe
1636	mscorsvw.exe
2836	mscorsvw.exe
2808	mscorsvw.exe
1328	mscorsvw.exe
2324	mscorsvw.exe
1584	mscorsvw.exe
1360	mscorsvw.exe
2368	mscorsvw.exe
1796	mscorsvw.exe
2860	mscorsvw.exe
1680	mscorsvw.exe
1268	mscorsvw.exe
2744	mscorsvw.exe
2756	mscorsvw.exe
2208	mscorsvw.exe
912	mscorsvw.exe
2528	mscorsvw.exe
2524	mscorsvw.exe
2724	mscorsvw.exe
2648	mscorsvw.exe
2436	mscorsvw.exe

Loads dropped DLL 49 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2836	mscorsvw.exe
2836	mscorsvw.exe
1328	mscorsvw.exe
1328	mscorsvw.exe
1584	mscorsvw.exe
1584	mscorsvw.exe
2368	mscorsvw.exe
2368	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
1268	mscorsvw.exe
1268	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
912	mscorsvw.exe
912	mscorsvw.exe
2524	mscorsvw.exe
2524	mscorsvw.exe
2648	mscorsvw.exe
2648	mscorsvw.exe
1072	mscorsvw.exe
1072	mscorsvw.exe
1652	mscorsvw.exe
1652	mscorsvw.exe
1972	mscorsvw.exe
1972	mscorsvw.exe
1172	mscorsvw.exe
1172	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
444	mscorsvw.exe
444	mscorsvw.exe
2524	mscorsvw.exe
2524	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
676	mscorsvw.exe
676	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bcdbb442223c682a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4192.tmp\GoogleCrashHandler.exe	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4192.tmp\goopdateres_de.dll	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4192.tmp\goopdateres_ru.dll	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4192.tmp\goopdateres_fil.dll	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4192.tmp\goopdateres_ta.dll	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F2D1DCEA-3974-4AE2-AC88-A893D86175E3}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4192.tmp\goopdateres_fa.dll	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE1F6.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72B0.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDF86.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C38.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{972FAB58-F5C2-4096-AFF1-57969479FAB3}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7BA5.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2056	9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: 33	2160	EhTray.exe
Token: SeIncBasePriorityPrivilege	2160	EhTray.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeDebugPrivilege	2904	ehRec.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: 33	2160	EhTray.exe
Token: SeIncBasePriorityPrivilege	2160	EhTray.exe
Token: SeDebugPrivilege	2972	alg.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeDebugPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe
Token: SeShutdownPrivilege	1180	mscorsvw.exe
Token: SeShutdownPrivilege	2036	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2160	EhTray.exe
2160	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2160	EhTray.exe
2160	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1044	2036	mscorsvw.exe	43
PID 2036 wrote to memory of 1044	2036	mscorsvw.exe	43
PID 2036 wrote to memory of 1044	2036	mscorsvw.exe	43
PID 2036 wrote to memory of 1044	2036	mscorsvw.exe	43
PID 2036 wrote to memory of 2356	2036	mscorsvw.exe	45
PID 2036 wrote to memory of 2356	2036	mscorsvw.exe	45
PID 2036 wrote to memory of 2356	2036	mscorsvw.exe	45
PID 2036 wrote to memory of 2356	2036	mscorsvw.exe	45
PID 2036 wrote to memory of 1748	2036	mscorsvw.exe	46
PID 2036 wrote to memory of 1748	2036	mscorsvw.exe	46
PID 2036 wrote to memory of 1748	2036	mscorsvw.exe	46
PID 2036 wrote to memory of 1748	2036	mscorsvw.exe	46
PID 2036 wrote to memory of 2796	2036	mscorsvw.exe	47
PID 2036 wrote to memory of 2796	2036	mscorsvw.exe	47
PID 2036 wrote to memory of 2796	2036	mscorsvw.exe	47
PID 2036 wrote to memory of 2796	2036	mscorsvw.exe	47
PID 2036 wrote to memory of 1680	2036	mscorsvw.exe	48
PID 2036 wrote to memory of 1680	2036	mscorsvw.exe	48
PID 2036 wrote to memory of 1680	2036	mscorsvw.exe	48
PID 2036 wrote to memory of 1680	2036	mscorsvw.exe	48
PID 2036 wrote to memory of 1144	2036	mscorsvw.exe	49
PID 2036 wrote to memory of 1144	2036	mscorsvw.exe	49
PID 2036 wrote to memory of 1144	2036	mscorsvw.exe	49
PID 2036 wrote to memory of 1144	2036	mscorsvw.exe	49
PID 2036 wrote to memory of 976	2036	mscorsvw.exe	50
PID 2036 wrote to memory of 976	2036	mscorsvw.exe	50
PID 2036 wrote to memory of 976	2036	mscorsvw.exe	50
PID 2036 wrote to memory of 976	2036	mscorsvw.exe	50
PID 2036 wrote to memory of 772	2036	mscorsvw.exe	51
PID 2036 wrote to memory of 772	2036	mscorsvw.exe	51
PID 2036 wrote to memory of 772	2036	mscorsvw.exe	51
PID 2036 wrote to memory of 772	2036	mscorsvw.exe	51
PID 2036 wrote to memory of 2684	2036	mscorsvw.exe	52
PID 2036 wrote to memory of 2684	2036	mscorsvw.exe	52
PID 2036 wrote to memory of 2684	2036	mscorsvw.exe	52
PID 2036 wrote to memory of 2684	2036	mscorsvw.exe	52
PID 2036 wrote to memory of 2024	2036	mscorsvw.exe	53
PID 2036 wrote to memory of 2024	2036	mscorsvw.exe	53
PID 2036 wrote to memory of 2024	2036	mscorsvw.exe	53
PID 2036 wrote to memory of 2024	2036	mscorsvw.exe	53
PID 2036 wrote to memory of 952	2036	mscorsvw.exe	54
PID 2036 wrote to memory of 952	2036	mscorsvw.exe	54
PID 2036 wrote to memory of 952	2036	mscorsvw.exe	54
PID 2036 wrote to memory of 952	2036	mscorsvw.exe	54
PID 2036 wrote to memory of 1460	2036	mscorsvw.exe	55
PID 2036 wrote to memory of 1460	2036	mscorsvw.exe	55
PID 2036 wrote to memory of 1460	2036	mscorsvw.exe	55
PID 2036 wrote to memory of 1460	2036	mscorsvw.exe	55
PID 2036 wrote to memory of 2496	2036	mscorsvw.exe	56
PID 2036 wrote to memory of 2496	2036	mscorsvw.exe	56
PID 2036 wrote to memory of 2496	2036	mscorsvw.exe	56
PID 2036 wrote to memory of 2496	2036	mscorsvw.exe	56
PID 2036 wrote to memory of 1224	2036	mscorsvw.exe	67
PID 2036 wrote to memory of 1224	2036	mscorsvw.exe	67
PID 2036 wrote to memory of 1224	2036	mscorsvw.exe	67
PID 2036 wrote to memory of 1224	2036	mscorsvw.exe	67
PID 2036 wrote to memory of 940	2036	mscorsvw.exe	58
PID 2036 wrote to memory of 940	2036	mscorsvw.exe	58
PID 2036 wrote to memory of 940	2036	mscorsvw.exe	58
PID 2036 wrote to memory of 940	2036	mscorsvw.exe	58
PID 2036 wrote to memory of 3048	2036	mscorsvw.exe	59
PID 2036 wrote to memory of 3048	2036	mscorsvw.exe	59
PID 2036 wrote to memory of 3048	2036	mscorsvw.exe	59
PID 2036 wrote to memory of 3048	2036	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe
"C:\Users\Admin\AppData\Local\Temp\9277b4e622e72caed22797920715b3f78fd48cc0fa52267b790b0c2cf1e444f2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 234 -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 234 -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1f0 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 234 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1d8 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 1d8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 25c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 244 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 288 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c8 -NGENProcess 25c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 25c -NGENProcess 2d8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c0 -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 23c -NGENProcess 2f0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c0 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 25c -NGENProcess 2f4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2fc -NGENProcess 2f8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e4 -NGENProcess 310 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f4 -NGENProcess 314 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 25c -NGENProcess 2b8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 308 -NGENProcess 2b8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 314 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 320 -NGENProcess 2dc -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 320 -NGENProcess 314 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 32c -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 338 -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 32c -NGENProcess 330 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2b8 -NGENProcess 33c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 340 -NGENProcess 33c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 338 -NGENProcess 34c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 34c -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 354 -NGENProcess 340 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 340 -NGENProcess 338 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 340 -NGENProcess 354 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 358 -NGENProcess 338 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 360 -NGENProcess 364 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 348 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 368 -NGENProcess 358 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 364 -NGENProcess 348 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 348 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 374 -NGENProcess 37c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 37c -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 378 -NGENProcess 384 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 360 -NGENProcess 36c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 358 -NGENProcess 38c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 36c -NGENProcess 394 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 38c -NGENProcess 398 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 390 -NGENProcess 39c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a0 -NGENProcess 398 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 384 -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 36c -NGENProcess 3ac -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3b0 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b8 -NGENProcess 358 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 37c -NGENProcess 36c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3c0 -NGENProcess 3ac -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3b8 -NGENProcess 354 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a4 -NGENProcess 36c -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3ac -NGENProcess 3c8 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 354 -NGENProcess 3cc -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3cc -NGENProcess 3c4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3cc -NGENProcess 354 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 358 -NGENProcess 3c4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3c4 -NGENProcess 36c -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3c4 -NGENProcess 358 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c0 -NGENProcess 3d4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3ac -NGENProcess 3e8 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 3ec -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3c8 -NGENProcess 3e8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 354 -NGENProcess 3f4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 36c -NGENProcess 3e8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c8 -NGENProcess 404 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d4 -NGENProcess 3f0 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3c0 -NGENProcess 40c -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 3c0 -NGENProcess 408 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 3e8 -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 40c -NGENProcess 3d4 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3d4 -NGENProcess 408 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 1bc -NGENProcess 354 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 1bc -NGENProcess 404 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 3f8 -NGENProcess 3f4 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent fc -NGENProcess 410 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:2892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2108

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1088

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
a2104d4be5572c034bc22ccbf71c717d

SHA1
9224a88174117507a1959bf8e1560de895d9f33f

SHA256
4152e4e7ad754cb7ca1cc9efc70f0e7f19b152e1146507fa7e0b693998c69349

SHA512
d7e62734fbca7e753807c7278f1c752ba570fa5d71023caa07c8cc0169f621ba7cdf6d93d93db26a8354a981d969b62c8203b4a50510ee18f9cfd58363792569

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
5712c9effd575eae02d81bbc7748dcfb

SHA1
02804bf8ea0d607e549246a6ef9988b20fdd5e64

SHA256
733cbc0b67df4b9a8b72f59fbd8dab246ab995f4664d163b563f24f8bcb156f3

SHA512
beaa69dda2751f09bf2caca0507372263816b5d06ae8c4ef92520c593323497bf749b450cdb94d027d42c5736507390c6bbae92e0863f71e5a94381b511d053e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
bb599ee7e31b7b48d0dd7ad1984264e2

SHA1
0734e70d3eacc6fb3d55fce4148f888dc706ff6b

SHA256
27f6d70cb945e98913ee34793f519bbc88a06aa6bfe9b1c0152a4ade1a672f15

SHA512
1e2f67f551e4f6f8f2534388046788d5dd7b606740d06feddd38896fdc8f1330338941e5072a4f312fdc58b2fd9975b7445681442340e132ef8fa0c9d5e87d9a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
7cc580c3b2f128b5565816364baeaa0f

SHA1
217a74bcaa2133bd255aed8c16830513c3f2f797

SHA256
66abf32ae02620aa515e214ecf62d8ba178508867fcc1e0f6dd6c6a08c2dc0e3

SHA512
7573f6ee63017227f91f75c9e8f601e824dc70a1015ad39c30492e4683d694f0a133b2d7af4cacf18995100a810a94c8ec05a46cf82bada8792932a145662c90

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
375KB

MD5
1efe36c4d428df6613db88c3bcc8244e

SHA1
d8b4f0a4cb4c6f8da72d244fe02973d892801b50

SHA256
f2eb9000503bc692eedb38697579fec5118027d1a873d04db4ce54e61962d1b9

SHA512
5f1e9a44e5cd9d68407deece30fb3ab93e810f8d6ca2952cacbb1f6cfd98f86821da50832ca9f45eba45158a0439ed6c3a3859c18452a6e87ce1b5b0f947b592

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.9MB

MD5
be031967f15cc024f35c3752b0c67bb0

SHA1
c1c357aa63eadfdd75f41c6517961c611f27d5af

SHA256
e36f2fc8e07d3a7de6333d8481bfca9ebb7d43ed556cc0665399ccf8796d843d

SHA512
4c99f63c28f7d1e1b959da75d2b3b63f49428365780c1263a07e01a8d82e50eb867429d27b726be6dffcc4bf2886e15ebc1eef1e38d5730a67647dfcddd46e3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
616691cbe7f1fe820174a3afab6af9ce

SHA1
b56e55df6d334f8212aa778ae4e498f5af2c57fb

SHA256
c719ccf8a0f0e7cfec2fa6b4de7a7c32011e152e9b434715655eeeac83f8cf17

SHA512
8a94cf757acea2b0687cb36c93de5ee58a96553d355fdfaf100c61612a5da19e74a897baddda8285d9704038e76718b793e01336507862f6b57abdd025a7f9e4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cfe1f0bec668e4615cdebd246208a69b

SHA1
72d30ce754a340798912912dd238e9506b23e92b

SHA256
c56489650af25972aca5b2f49a5d2ab4f7aa3fae505481d21d22620feb5f7758

SHA512
d9046a7f922ffb035c8c864e4a76ebcc7873a804a056b46e27e2cf776033ce0c5bd8ed7a20a25cc7fb430704697a78b7d16ce94fa90febd3c2d449b46034fdb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1a682011e0db617476b824f08428d075

SHA1
7a3537a6169358144293af41c11285a6dbf850a2

SHA256
82faf0b020255ec8b4f02b79735eccddaa80ddd0969e2da429367acd1a820881

SHA512
95f9c7fd2f3954173cb38296269f10f1607e5d93485c742d113bfefa558f87610adecab623c50a7fc5b794abe095fa749dd77dfdf3608bb4a1b8c1432eb45ad5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1de83b4cd4048608a42cf774f7284aba

SHA1
d61ddb1c5be80099b6dcc00332c78af02aa4b30b

SHA256
bffa8044b3a886e226a0e98c7024b7403860f248292ac143afde3bf6d61ba5a0

SHA512
981bd08d7151b9cb162bc8bd2ed2f5724f7f45a20f5672b661222372e99dc888d404342f34fc5f1f88d1242e150cdbbd5c3805b87e58aa69aae145b15dd7fde2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
23e307356280ae25052247f747e4697e

SHA1
362afa897f95849acb7a3e1423e78e527371f736

SHA256
8b68826d4d433d6c13518c374ea74261c6e6454f339ac988b9bac5407fafbecb

SHA512
485f1c985765ac5ab9c5c7801bff0dd56aa97986b239891b454e457c257d024e0de29010494efaf1e4bfb118d50ac9d241341ee8e004e4dd525d779b6020faf8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
226KB

MD5
b3affc8bd4d7dad3c62d6217030cf4d9

SHA1
030187bc97ea80fd432dd7d97477ceacef4bff78

SHA256
389b57844be2fc0a6738eadec3f24a1c0818567a2f20805a5e0ab22abec3ae8e

SHA512
d86cf98bce441b04e37081aa399b2dafcdbff65d380381d8f476ff612be640cd89d71fa2f304de30d201e9f1d755d3f19f9acb106d9bc8af8ebebfe3f2f48b1e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
f33823c6041ea31f16f7e49b70db94b0

SHA1
ad490e065c320fa11efe935fb473a3c493120c71

SHA256
3e6f465434811503ade1a29d21d856b81632d546112f3411463e268d11e7e273

SHA512
43f507a743a0253e52b9c3ba7b321be1610f39930b76ceb94adacca01c0db3541c7f29dfb15a13d43853e5cb218ec49dacc1e0e161b5021aa2942489c580d639

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a481cf1e174f209a0940c2a272097989

SHA1
43046a457f0781b6499c5ea6c92f1a793e8c67b4

SHA256
29a25b992ec9628edd2c4b70f4ea85db1fe98b08247e4a2d641e9428ff0eeb2c

SHA512
17e2e454c780f41ae2f24c7648f42d2b642656dacfe130fc42b66b531babfe4c05f4284297c60443d14e58263735c06204a9edbd0b38b2f7846450c68a272ae5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
bd1ae7dd0270dbfe2e7ddae50876e77e

SHA1
f24e8dcd1efeb3a942785b2ae0106f51e6d1ee94

SHA256
8cf925b7bfdf9fd2ea2ce33693d0b8ff8653112aa6e7d5d2605ad4e3fb7516be

SHA512
7aac0db3744a68d72fa8e6e20b466ef9955ae656faaae51552ee577c0d913376cfa7bd2f491a6f4e6f3e0833d0f435775301b3132f44b0c508c9710c38c565dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7f1456980414b40fd47a536242b55876

SHA1
ce75d102b424ac7080917e7b11f7ac0c6ec56eda

SHA256
3777d473e527857e30e262c8ed1161614e4af30ac495a521cbe17046329a4980

SHA512
6da3aec46d0802eb2d355b0b5ee8ad51d7256e8c603b0110fee394b3535b27c0a011518eb4455d0a206b761489ce3e22cfc28595485e8d6f2f148ee8af22ea17

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ad25d61f6f28c27c0a8b1adfcba44962

SHA1
c0f817cd7f21031db79bbb01e4021df5baea6e80

SHA256
8fb6f82472dda30c89923fbdd0bb4e069f9079d0de774638d74f46892aaf6477

SHA512
fe1ca10cec9c57e669ceb8cc8eef7ff6210933642ebaf8341a9a47f5540c6b6b8d2a84155f60e796c707c10df146cda2f8cefa86b81e3aa6493a57d32e9efc20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
7f20b0e14dc21e2d185fd783a8e963a5

SHA1
da2f5b2c8d012e2237434bdf4bdf988d4aadf838

SHA256
a6c798e48b5de113398b0cccb7844b745a2cd09686d234a2129d521fe61eaf38

SHA512
477a3ca8a57d63b41cd3cf388deeda82a91a9764319b3cc2a2ce2cd1efaa0e925773ab56daac7affd19b980ef4754c630d44ad6340f7d6d71ae211899d71cdb2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
6bf9a0a9f0d4b9ca78ece0887a7c75cc

SHA1
f68416431e02942e590b2077af26c5c5e764692b

SHA256
96ef7908c4d3a199e9f939c11302479807c410c1e59c118685d0650206fd97f1

SHA512
892d807c6d42ae8e27ae2c1c5b2f531dba131b2451c4e29d03aaaaec1c562ade779a483b6d16d45a6dcc185d584ce48a809589ec4d08660274d99cdd9de91706

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
322KB

MD5
049ae8b42381400c0bf4e9bd8155836a

SHA1
6f0eb314b085202c7f445a90e78f5d822ce3deb0

SHA256
71880eb6348cf7368cc0622fc998afd654dc1bae32307b65c42bb23413d4b91b

SHA512
016f6869c8d44844679463963fadf544dd25d13ee8124017772ee25ac12ea3f1dec5cc8848dae6372ea77c2627d435d6cbd0026b82d579d47a7de12dceaf743d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
ba026a5a1f2f8903dd13f9c19197657f

SHA1
22707bca8df7a43710d49d08828eec836233f7fa

SHA256
c5b03bd1c90484adc7f9ae430fbcfdb21a31eb8608e070f1c504f369934a8606

SHA512
faf428bfb348c5cd0d10aa14e0abd78fc3e6549c639f8452485031a5ec800d25833ec5de044112ccc32ef2477a0827f4d1ca1ddf066d07c8286bf018dceb6178

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
523KB

MD5
ca36669dc4ce938ab37a921d0a994513

SHA1
878e237578d86a0fa814a10c252142eebf896b09

SHA256
7987e979b3b2ae0a4c628d8a5ffff0207bcc0feb77ec32b3da385e03799b8944

SHA512
419eb1422ebb67f028a86888ced69a2b6656f8821932d6f91a94714f5a13653bfda0dd77b5364ddc79e6bbbbcc3ce4d8f06a5f50d3dafea6915d0bc50308baac

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
9bb197dc705832800ed2cf45271e7848

SHA1
b3fe4f0c9615d8e1a7ba4d0311445d9105adbb9b

SHA256
af4a56256e9f794b635f97b8b67a877d76f5f23df5132e54caa34e0a36e6943d

SHA512
c0ed0414ef1c967d393b85b84fff62b7065e538703b822251cad25c5060ae745813e21ff875a6ea980227c82d8c8c2397f9c6d81773aec3120f05db5fa5a7d34

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e79d4b9d8027130337089f9c56fabcc4

SHA1
0b55b4bbba5fe1aeaa3b0e6016565b7da96b7fb8

SHA256
d57787819cfa01523b64fd85cd85abc250c4f24358f83fb60a20620eafbbb34c

SHA512
4ff73ae5f536ac87992982474e851037574401867936e2dd13eb8e13ca2c2840a84f87af031d4b943d035351f5cc478ed996574138bdc80f0748ec28531c96e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
c529f611fbf5d0ba4c7b6ea76e0a6821

SHA1
b86374c1bb228ff89d0ffedb0eeabc07be1068fe

SHA256
f41433d36db518f77400059baeedb9812accb1d2a18ea5f2eb9d36b8fd425f56

SHA512
35bb65ec2649ca4e8a58c4670dcd0076166453871b14e24a2a77b81ce10296a51b92c2a433c7dc37444c101c8723ee0d5157ccfcaf6daab7ef51ad2a19d25f1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
7KB

MD5
4652e65db7adca9ab7b9eec1a0775c37

SHA1
f812e659498945a4dd85f10fb24ee21af1182c6e

SHA256
c09c97ce8d0fcb1a08bae3bfc96e40ffb6ac506ccecd3b417c2f1c55e36e4b0f

SHA512
704d61b932633704299d08c99fce885bea152739a39fa46d3c435a06267dbe47aa40ea770ae9b3a7e90e5ee975bdd9a9882b01476d1b39e2c35bcd7dc1c933d0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
271KB

MD5
a04a543405d2c5858f1b263d2e8a4654

SHA1
2fd131e64822a99383e8c740c74d8137f1f1f2fe

SHA256
4f6c1a4e988f237009e51d5bfe16b9d9bee15a18501f0168bed40f88b7c72ab2

SHA512
41eeabd15798588b810ffddf89190f77f3758ddcce80524f8270f547ae624b415558d37dcb13241580521e02efe4e791b8751153796f86a5d5d4690ce6aeff3b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
263KB

MD5
515574266da8c74001031bd0382d8b64

SHA1
f28bcc2ece98f450d2f9e1a2b9fd4fea45ab837e

SHA256
2cb59a80e6f96043e4f9af1cb62f803a9df1ace3b3bf9a8473ef205c06d4f3fc

SHA512
9f41c0063ea9909c53e10e9f65fb06bff66f3f68e258d81eb8e4a109b31abbcf27c3f9724f1f6236bebe2cdff7a7a4b45667906b8770d97e013682a4ff6e5176

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
ff13a33727b97e5dd4a5247379aa1af2

SHA1
68f846005b089a4452d6eecacc2caa5c7d501ff0

SHA256
0223e7768a15be23d108f88ade6035075b6f3f70f9471806a99cd3674e2c1a11

SHA512
acc2f8602ad0fa54451f4f79f18a9b528e54a1a0266ba94a35f1404d4019565710e7016294403d740f3e1c7bd35bd0ce2f63f5c166e1e6c872ca11990f5e6303

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
127KB

MD5
6c35bf4723ac06f0752b8e57aec51999

SHA1
2f4c31ebe58fdd52792cc6b89e92c1eb89333928

SHA256
13223ca250d2be5e04b111a3f76b25e5f7bebac5cfc96347e4137a1a1fd12553

SHA512
2068cd37c73daaa33ae9e2a341d708c25e4b2844d5987893c846ccc89fa762c6e08fb9d8c50f41642b59c3b80f7d3ee9e087cbcf616b83ad5f86957b9d8f64e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
609KB

MD5
63dbe8b6a582cb4a52cae2c8621bf84b

SHA1
43a82caf33404028450fe6d533e7674fbf63bdb3

SHA256
8682ec673b6d8adbaeebdc9c9bc12f8b1f37730e8997151f9b40a6d284a545ce

SHA512
1d7f8eb5bdcd3b548f0c1c705cb155d7fcbb9960bcde6d7409772de83b08a29ff267cf68b5d8a7a1d0befaac5c7c851e7a017df3292a15f9c728d8ff864dd1e7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
550KB

MD5
6c7fe30182b90a91ebecb41fc40c1fc1

SHA1
ec849f5f7f1691fbe4249ad6d712598b678300ad

SHA256
3d6caa6edcc462f86323ea5cfda7c1518be95a0b805795d4fdac3435769b05e3

SHA512
0949af83cb4374d175af151f4d30df942640e45d52481c71104e12b8291ca7ae6c8e97945143c23794a39caa56fa6e23a0c8c1ab62824c70bd70c279483d3aad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
65KB

MD5
1f2efd93d06527dd7e7088a3a52731a7

SHA1
8c5a8055bc8da973522b0f2aae70ae30904d4ad6

SHA256
186a9e7f175aade4e7fee902db41cf74540038d25a780c3ac9ba6abb24368ab5

SHA512
94c16eed4608940cb50fa1d57eea5be09c618f95f4a9537e1478c4a2c0551e99d6713338c8c2ecd19300dbdffd5d4cee933ad38d423e11e8df149bae4a95aa04

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
5e7558de794b4b7c4e89707e84ce9939

SHA1
876a8f70a758d5319c456030b3fbb7ed86963739

SHA256
01ceb4df0df1e9741e5c874d70850eef7476da98c5201c18f66e15921e386869

SHA512
7ac8554296d144e1cdc550b7020d6cb9ee91b1545664d6d25b16184460423d6ec5d3b7252e29184da130c723be68d6a6c6eaf5eca30a14c61d24930c0f8a1a4f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\089425511468ddfd55fdc9685b47bfbb\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
85c5829abfb7a61057095e025b87ac18

SHA1
d3ca2fed9a214c33dd04561557dd00db6ddb3caa

SHA256
0ea02d5d81e787ded2ed46ed5d281687e36ccfd649b63527cbaaaecd14d39a2d

SHA512
27397478f37ec9f8f7f3ca2081137ede827c0c6f7e69dc9d106c0646c73368ef343ccc15c324000a711d174376c2768813a46a59dacc4dfee42a0d8bcfeaf5da

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2b3cbb880ad613468c5c3d8a9eeffe43\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
2fbcabdfa88650005e69101d1592136a

SHA1
ba57ad5caa09cc136978255e239536c295784b88

SHA256
7953e92af355e06990da1e3e3df54fc1ce11652551d9fe5a8044d14656c037e7

SHA512
6e25da24bec32b18aa4bb25b16f15bbe50eddbc7c9b605b3151f122ff6ebe0d99f182756b228ff7cee72769bf3c9af55e16ac6d613b4c903b61ebe045ae68667

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\61d7ab3199323617ead88f07203c8a0b\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
7c71a35a8922e9e2618e4d52a7a44335

SHA1
1011c4e8871d4916334e6c411ce24b9ee98c9ece

SHA256
a7f2de691ccbd80ef61972fbbb6694ef7985b03c2060706af6670435a7716f94

SHA512
e3e549d2c56a24069c287a97d5db3af37d1a8109e4f57db9e8db6aaf164efd2f40717b0957098e3e50548495872aca43a2e7ee246e044e54c9bd64cbac9f09f6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
520479798eb79d6f5a1d867a4148d683

SHA1
0985856acf6719360e88c065a4da5312a1f75731

SHA256
3b76ecea80fd20be8c02f7899913c4927f7c786d6e47c7821ba4b9ba5a1f35e9

SHA512
4fc15256ebb6fcfebb5fc94cd7c46a90b15b067c3589fd3b04dca6a70666f637e335fab333a0fa84db0a54d80acdda0a6334a79c2570c50b1704651d8628663d

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
743KB

MD5
b5a44d484a725709a1b621ec554eeae2

SHA1
49f264e39956fe3b2d9f5054f0e849a8f8cc21d3

SHA256
f0e7a630ab0216b87f582af419de9bbf37880a38f4f59c55d0367dbeb3112c60

SHA512
904b713f3f4ae84dccdee91437046d8862e85cc0d0f02d03007f8c51052f57eac7faa469702dbb69055149b2deee38745548e5cf822d809cb55e9527eb98201b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
588KB

MD5
198dd9d71c8b829da929769c65f57b09

SHA1
53e7c9e5224fa00255943fb0601eede79b07c220

SHA256
5c51f2a028bd609bbddfb3451927e89792c1851196fe69cc5f7fa6579229cbbb

SHA512
01738be4df278f227d47318d83ef435b4fc8c0c46fd57bd48bee5571fc565d376c08ab70747fa21ee759f9a71802ec987790b7233c7d16b0536adb87f6fe3447

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
2c98910a3536ace6cc71a0c6ec642c39

SHA1
db46bfd8022a0b49a0d0882f31a183231a99a51a

SHA256
ea85afafa728e6952eb32fff7567a1e690e07aa38bff104da10c7ef696a83d0e

SHA512
1f5613d920113178791587435dda181c26ffe6af513efcee951bb641e94aea59263d49bb10175d447f8002ccf4559671ae2262066dc2b425adfe29e96a80dabe

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
430a7a9b175e2eb05bb3238b9ea1b35b

SHA1
4b02ee5c361d3339dbd33ee6410175f49cc53b5c

SHA256
f83d9dc80e6f4043a0e19b3ca951deae357383084feda3a289d4181e20b4f5f5

SHA512
de2d9605a1fd1197f6cf312e9e643df6d0fe9a518fcb8ce2df032903c9234f0b53c91f42826cbd56a0fe68fb03f6c9b6ddbf94d61c8220c3489b1565833fc1e8

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
82afc1b1d821d78d8c913c1ad4757b04

SHA1
46a5371393fb8bc7e643fc96984085031e042e89

SHA256
b77147398052c28ce25702fed1fe114e057e76078f221ff167dc8c7aca8b20ed

SHA512
0388257befa6acaedaab1720514c7ce6ab17fd1b9ecbdf2d80802178bb5a8519fb54b2bad6b8654a08fa28f46e0b2ab8da146f072066af2499aff30d6df1ba3c

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
9b8d310a98c347a8e69198438a9b02b2

SHA1
0bdd15b9e042e9e02dab0c5101e3ce30a4be2186

SHA256
12ce9d9e91aa807ba1921266726e45a5fc512f2a96cdd22dc3837bbebef16ddd

SHA512
f8044f7b78d6944ddc191fa11a297e64a31392e2b3c9196a91b29c83cc4734c3de37f7d1b855977301c5c59a267bddca18af290963822fed951bf79bfeb9aa4f

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
881KB

MD5
0723c037ca366f63d6103d58094c0802

SHA1
f7bbeb552e552ec48241b0c3d0ad15494537484e

SHA256
820090a0412833a47f981f470824d8cd9cedade5b529a6b321b338e88831c5ab

SHA512
5f962a68b6633a787bbade532a49976a6669f3d0cf2369fa170cb979a3b25ecaa5d97cc560a2e8e6314755b3d85c60bfa8d7d3c6a3a69046e5cc14f495d915af

Download Submit
\Windows\ehome\ehsched.exe

Filesize
320KB

MD5
a71be15b1bd3c88b02edb36f4bd7862e

SHA1
d471d296dae0fffeb6ec86c972e346da9b4cf160

SHA256
dc6286fc607b6a3fadeb19b4832f28ed9a5d23e3b9e469de67a78a5dbd8be93d

SHA512
0596e91d1051bf64fb97e4503e01e1f05230c79db6dbf5f45969bf2190a85ae5ba15c5bf48be118e26479d6b735b7d93c0f816cb79e266eff1e1fa1db6479aea

Download Submit
memory/1044-374-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-361-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1044-358-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1044-392-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1044-394-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-335-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1088-327-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1088-396-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1180-283-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-147-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/1180-140-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/1180-139-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-146-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/1448-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1448-173-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1748-480-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1748-425-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1776-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1776-150-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2008-343-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2008-367-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2008-376-0x0000000073F18000-0x0000000073F2D000-memory.dmp

Filesize
84KB

Download
memory/2008-359-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2036-122-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-128-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2036-271-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-123-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2056-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2056-138-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2056-258-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2056-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2056-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2108-333-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2108-272-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2108-265-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2108-263-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2356-481-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2356-389-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2356-381-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2356-479-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-400-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-174-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2620-175-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2620-307-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2620-256-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2632-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2632-160-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2632-325-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2632-253-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2632-180-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2632-260-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2632-167-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2632-292-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-303-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2864-356-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2864-302-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2904-364-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2904-336-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2904-287-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-363-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-477-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2904-290-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-288-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2972-38-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2972-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2972-13-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2972-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2980-277-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2980-340-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2980-286-0x00000000004B0000-0x0000000000510000-memory.dmp

Filesize
384KB

Download
memory/3024-310-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3024-316-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/3024-322-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3024-323-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/3036-104-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/3036-98-0x0000000000440000-0x00000000004A7000-memory.dmp

Filesize
412KB

Download
memory/3036-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3036-153-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download