1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
Size

1.8MB
MD5

cd4cc9839c1e23a33a70289002a6f8a4
SHA1

62afd34b3678016b89fc8734cb5a91853f3a9911
SHA256

1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e
SHA512

7b38afda04a08776251bd620ce9bee863a3f998226139a26266404d3babbff2e3030f7426d46fa85fc6022ae8bbd311c6b0910523ceb6cf06ea7c5e75d501bb1
SSDEEP

49152:6KJ0WR7AFPyyiSruXKpk3WFDL9zxnS//snji6attJM:6KlBAFPydSS6W6X9ln8EnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
1236	alg.exe
804	aspnet_state.exe
3036	mscorsvw.exe
108	mscorsvw.exe
368	mscorsvw.exe
2920	mscorsvw.exe
1700	ehRecvr.exe
2112	ehsched.exe
1540	elevation_service.exe
1912	IEEtwCollector.exe
984	GROOVE.EXE
2504	maintenanceservice.exe
1032	dllhost.exe
1716	OSE.EXE
2056	OSPPSVC.EXE
1504	mscorsvw.exe
2456	mscorsvw.exe
1740	mscorsvw.exe
2040	mscorsvw.exe
2324	mscorsvw.exe
3040	mscorsvw.exe
2712	mscorsvw.exe
2820	mscorsvw.exe
580	mscorsvw.exe
1436	mscorsvw.exe
484	mscorsvw.exe
1156	mscorsvw.exe
2884	mscorsvw.exe
1604	mscorsvw.exe
2832	mscorsvw.exe
2604	mscorsvw.exe
2836	mscorsvw.exe
1720	mscorsvw.exe
2312	mscorsvw.exe
2100	mscorsvw.exe
1968	mscorsvw.exe
2708	mscorsvw.exe
3064	mscorsvw.exe
2844	mscorsvw.exe
2348	mscorsvw.exe
1968	mscorsvw.exe
1616	mscorsvw.exe
1788	mscorsvw.exe
1608	mscorsvw.exe
1796	mscorsvw.exe
2084	mscorsvw.exe
2688	mscorsvw.exe
2488	mscorsvw.exe
2892	mscorsvw.exe
2168	mscorsvw.exe
2956	mscorsvw.exe
2784	mscorsvw.exe
2732	mscorsvw.exe
2348	mscorsvw.exe
1192	mscorsvw.exe
2900	mscorsvw.exe
3068	mscorsvw.exe
1692	mscorsvw.exe
1772	mscorsvw.exe
2656	mscorsvw.exe
1048	mscorsvw.exe
2492	mscorsvw.exe
1060	mscorsvw.exe

Loads dropped DLL 50 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1796	mscorsvw.exe
1796	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
2892	mscorsvw.exe
2892	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2732	mscorsvw.exe
2732	mscorsvw.exe
1192	mscorsvw.exe
1192	mscorsvw.exe
3068	mscorsvw.exe
3068	mscorsvw.exe
1772	mscorsvw.exe
1772	mscorsvw.exe
1048	mscorsvw.exe
1048	mscorsvw.exe
1060	mscorsvw.exe
1060	mscorsvw.exe
1528	mscorsvw.exe
1528	mscorsvw.exe
1088	mscorsvw.exe
1088	mscorsvw.exe
1004	mscorsvw.exe
1004	mscorsvw.exe
1196	mscorsvw.exe
1196	mscorsvw.exe
2772	mscorsvw.exe
2772	mscorsvw.exe
1956	mscorsvw.exe
1956	mscorsvw.exe
1908	mscorsvw.exe
1908	mscorsvw.exe
1744	mscorsvw.exe
1744	mscorsvw.exe
2372	mscorsvw.exe
2372	mscorsvw.exe
1044	mscorsvw.exe
1044	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
1960	mscorsvw.exe
1960	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\50131cab3f41c52b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\goopdateres_sr.dll	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\goopdateres_es.dll	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\goopdateres_ml.dll	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\GoogleUpdateComRegisterShell64.exe	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\goopdateres_lv.dll	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{84D4D46A-425C-4D83-A43F-29E77183FAA6}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\goopdateres_hi.dll	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48E2.tmp\goopdateres_ta.dll	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF49C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED2C.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP784B.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDE10.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAA.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE5DC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2221.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BF.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1048	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1020	1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: 33	2468	EhTray.exe
Token: SeIncBasePriorityPrivilege	2468	EhTray.exe
Token: SeDebugPrivilege	1048	ehRec.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: 33	2468	EhTray.exe
Token: SeIncBasePriorityPrivilege	2468	EhTray.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeDebugPrivilege	1236	alg.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeDebugPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe
Token: SeShutdownPrivilege	368	mscorsvw.exe
Token: SeShutdownPrivilege	2920	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2468	EhTray.exe
2468	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2468	EhTray.exe
2468	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1504	368	mscorsvw.exe	45
PID 368 wrote to memory of 1504	368	mscorsvw.exe	45
PID 368 wrote to memory of 1504	368	mscorsvw.exe	45
PID 368 wrote to memory of 1504	368	mscorsvw.exe	45
PID 368 wrote to memory of 2456	368	mscorsvw.exe	46
PID 368 wrote to memory of 2456	368	mscorsvw.exe	46
PID 368 wrote to memory of 2456	368	mscorsvw.exe	46
PID 368 wrote to memory of 2456	368	mscorsvw.exe	46
PID 368 wrote to memory of 1740	368	mscorsvw.exe	47
PID 368 wrote to memory of 1740	368	mscorsvw.exe	47
PID 368 wrote to memory of 1740	368	mscorsvw.exe	47
PID 368 wrote to memory of 1740	368	mscorsvw.exe	47
PID 368 wrote to memory of 2040	368	mscorsvw.exe	48
PID 368 wrote to memory of 2040	368	mscorsvw.exe	48
PID 368 wrote to memory of 2040	368	mscorsvw.exe	48
PID 368 wrote to memory of 2040	368	mscorsvw.exe	48
PID 368 wrote to memory of 2324	368	mscorsvw.exe	49
PID 368 wrote to memory of 2324	368	mscorsvw.exe	49
PID 368 wrote to memory of 2324	368	mscorsvw.exe	49
PID 368 wrote to memory of 2324	368	mscorsvw.exe	49
PID 368 wrote to memory of 3040	368	mscorsvw.exe	50
PID 368 wrote to memory of 3040	368	mscorsvw.exe	50
PID 368 wrote to memory of 3040	368	mscorsvw.exe	50
PID 368 wrote to memory of 3040	368	mscorsvw.exe	50
PID 368 wrote to memory of 2712	368	mscorsvw.exe	51
PID 368 wrote to memory of 2712	368	mscorsvw.exe	51
PID 368 wrote to memory of 2712	368	mscorsvw.exe	51
PID 368 wrote to memory of 2712	368	mscorsvw.exe	51
PID 368 wrote to memory of 2820	368	mscorsvw.exe	52
PID 368 wrote to memory of 2820	368	mscorsvw.exe	52
PID 368 wrote to memory of 2820	368	mscorsvw.exe	52
PID 368 wrote to memory of 2820	368	mscorsvw.exe	52
PID 368 wrote to memory of 580	368	mscorsvw.exe	53
PID 368 wrote to memory of 580	368	mscorsvw.exe	53
PID 368 wrote to memory of 580	368	mscorsvw.exe	53
PID 368 wrote to memory of 580	368	mscorsvw.exe	53
PID 368 wrote to memory of 1436	368	mscorsvw.exe	54
PID 368 wrote to memory of 1436	368	mscorsvw.exe	54
PID 368 wrote to memory of 1436	368	mscorsvw.exe	54
PID 368 wrote to memory of 1436	368	mscorsvw.exe	54
PID 368 wrote to memory of 484	368	mscorsvw.exe	55
PID 368 wrote to memory of 484	368	mscorsvw.exe	55
PID 368 wrote to memory of 484	368	mscorsvw.exe	55
PID 368 wrote to memory of 484	368	mscorsvw.exe	55
PID 368 wrote to memory of 1156	368	mscorsvw.exe	56
PID 368 wrote to memory of 1156	368	mscorsvw.exe	56
PID 368 wrote to memory of 1156	368	mscorsvw.exe	56
PID 368 wrote to memory of 1156	368	mscorsvw.exe	56
PID 368 wrote to memory of 2884	368	mscorsvw.exe	57
PID 368 wrote to memory of 2884	368	mscorsvw.exe	57
PID 368 wrote to memory of 2884	368	mscorsvw.exe	57
PID 368 wrote to memory of 2884	368	mscorsvw.exe	57
PID 368 wrote to memory of 1604	368	mscorsvw.exe	58
PID 368 wrote to memory of 1604	368	mscorsvw.exe	58
PID 368 wrote to memory of 1604	368	mscorsvw.exe	58
PID 368 wrote to memory of 1604	368	mscorsvw.exe	58
PID 368 wrote to memory of 2832	368	mscorsvw.exe	59
PID 368 wrote to memory of 2832	368	mscorsvw.exe	59
PID 368 wrote to memory of 2832	368	mscorsvw.exe	59
PID 368 wrote to memory of 2832	368	mscorsvw.exe	59
PID 368 wrote to memory of 2604	368	mscorsvw.exe	60
PID 368 wrote to memory of 2604	368	mscorsvw.exe	60
PID 368 wrote to memory of 2604	368	mscorsvw.exe	60
PID 368 wrote to memory of 2604	368	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe
"C:\Users\Admin\AppData\Local\Temp\1f0a240eda9871f509e90622a014fd76261ac3ddcb35354a78b186f185bd933e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 25c -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 250 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1f8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 25c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 24c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 270 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f8 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f8 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 28c -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 24c -NGENProcess 2a4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1f8 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 258 -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 2b4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 22c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d4 -NGENProcess 1f8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2a8 -NGENProcess 2e4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a8 -NGENProcess 2e0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b8 -NGENProcess 2ec -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 22c -NGENProcess 2f4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2a8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e8 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2fc -NGENProcess 308 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2a8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2c8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c8 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 320 -NGENProcess 2a8 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2c8 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2ec -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 324 -NGENProcess 328 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 330 -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 310 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 338 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2e8 -NGENProcess 330 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a8 -NGENProcess 340 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 340 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 324 -NGENProcess 348 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 334 -NGENProcess 34c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 310 -NGENProcess 350 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 354 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 358 -NGENProcess 350 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 34c -NGENProcess 344 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 348 -NGENProcess 340 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 364 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 344 -NGENProcess 368 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 36c -NGENProcess 364 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 348 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 378 -NGENProcess 370 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 36c -NGENProcess 358 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 358 -NGENProcess 344 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 380 -NGENProcess 374 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 36c -NGENProcess 384 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 37c -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 374 -NGENProcess 38c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 384 -NGENProcess 390 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 360 -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 344 -NGENProcess 398 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 374 -NGENProcess 39c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3a0 -NGENProcess 398 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 360 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 39c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 3a0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 374 -NGENProcess 388 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3b4 -NGENProcess 3a0 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 398 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3bc -NGENProcess 3a4 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a4 -NGENProcess 210 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 214 -NGENProcess 3a8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 398 -NGENProcess 210 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3cc -NGENProcess 398 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 214 -NGENProcess 374 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3bc -NGENProcess 3d0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 398 -NGENProcess 3d4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 374 -NGENProcess 3d8 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d0 -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 3e0 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 3e8 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3cc -NGENProcess 3ec -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3e4 -NGENProcess 3f0 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3e4 -NGENProcess 374 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 3f8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e0 -NGENProcess 374 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3d0 -NGENProcess 404 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 27c -NGENProcess 26c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 27c -NGENProcess 218 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent c8 -NGENProcess 3e4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent c8 -NGENProcess 3cc -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 258 -NGENProcess 3f8 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 404 -NGENProcess 3e0 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 3cc -NGENProcess 3e8 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 3f8 -NGENProcess 3f4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 3e0 -NGENProcess 40c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c8 -InterruptEvent 3e8 -NGENProcess 410 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 258 -NGENProcess 40c -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent c8 -NGENProcess 418 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c8 -InterruptEvent 3f8 -NGENProcess 40c -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:1512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2468

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1912

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1032

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1716

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.1MB

MD5
03c23f245a3143ca87be9b064dbd2f27

SHA1
75875b6d69a72d1ad1f9e9b12cf958514e69ce52

SHA256
cab68ca815ac09b7a7ff7c1353a4c6c0067f4220a12a71b93743642f7f997fbc

SHA512
2ca2ff8df0f39a9bdfcb2c450ba328214933c56014a9872021b68e152de09680100dd1849e6d53588ec1cfa88d51fd1daa16d4166da4a72024897833af69b881

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
664bee28c02910381c8140819f674ea5

SHA1
320b94b1d2c67037668c5c62961da74a82c15432

SHA256
3bffea1b63f3c528e93fe03f2c44a59e2c4e33bc1367f7a1e6559b9ff800137d

SHA512
aaf3776d56a6eb5d52f2cbfc0441c97f89d067a3f11a801cdc64f195b508abbfd96a4364cb00055762bb1508ffb0488ec582b9752c5b063c9b420734d16822c2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1001KB

MD5
4486673de56f47172a4f8f1d4abcbb5c

SHA1
bebcb1ee8d24fbb0e568b43dbf23c2c0405e81fd

SHA256
9368ba050c3b3a7b4e6620311b8d36b2bda01af4580ea84752e2087460df643e

SHA512
e401fc8831eefbd79b58edd5cf333f87c319c06654036261a5500ee9f984172613d1489c5dde5db989e66c3df9d15066aa676f5e4da410a334f530e58750053d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
b647c98e3c503364df1846bbc376012e

SHA1
47c20c9076fe7df3347ae9fe9fa5afa3d8383c9d

SHA256
50bbc9444aae8ec53c8bec4c8a281ddc56953dcf6d956ab112320805a4c3d546

SHA512
93a58472e542b6bfa72f23610da50e4819f8af1cd2ecbb7436f92fb5e7fd07e661b32d7424bca14aa7cce3a74a445a84e8bc8ff9858b711e5fcc4a7d89c6d459

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
100KB

MD5
6f3160229b8784e9bd8ce4f2f3dfc304

SHA1
efe5fbcfb3a3e36612ac3f5a5ab06e917981103e

SHA256
ca8bf730c5009cfbcfbd728f758473ff0f431504e3a83ae63fb9a61d9e612536

SHA512
a41301bb3bd5dc640016bc440c744b3cf6b5e69db52e125eda42479ae619d7667ba69d4aa1b3de2d114f7fe0a4fc616da79c09e03421f30a8bce19f1e0ff7712

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
119KB

MD5
9df32c760c9d7e60173499bfb6b15e8c

SHA1
562710e5fbba098c5700fcf1a27f24aa717012f5

SHA256
9e0bac9ebcdfe682ae93f5400fd6deef6f7119b582a7f9747cce6fa54e94a7f1

SHA512
a2f01fdd3918881a10b837f25fc021bc52b92e7a0e9aea7fa5ceec857f1ec9870f1263ef0bfa32d15e417becfb6de66340639a77441663baf576e3f088563238

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
36KB

MD5
8aade646ff63b2617cdbb5d7900cc44d

SHA1
183eb1911338ff7050bf5ef9198bdaf06b7b7836

SHA256
65bad37bd8aceb6ec8be51f8b0b1782d563a8db44ba18ab81840110e77b3f5aa

SHA512
3905f4c7e3e3e97651737d136a551914bb6d6b17fd64fe4cb007727f045300422f483d14d59bc71916c009572ea6b76fad9335662414a60f7ce73c90d2b14a88

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
170KB

MD5
4b7356351cf2795d2f309f522f0c59a0

SHA1
4408e1e11ca9a25b311d8c3abae83aff5e67851c

SHA256
d6766fd820d9391a6d3fc4d9792882a1d39d4501927e8f4a8f024667101db530

SHA512
097ac5e7152023e93eb6fb16aa714f130186b41edc4cefc45f0bb78cd7e29799c7f50b725cc43f9074e7bf6560b3aca4f4e607870307bf7215f484d27bf20e05

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
37b92c35cca7e430ced01cafc140282e

SHA1
42d35bf455d9368a339c5acb66916625cbfa41e3

SHA256
41dd8a731eb8a0a55e1a9e6563468f1264f1d9a5d945ded2eedf050eaba76cf3

SHA512
01d8025b8bd1a214ea3e83cb5344ca278360b203b2d3f142f9c98d381618c1f6f4db72593a555384258f35943142b6cfa063e7740ac10c5158d7d27c77e3d3d2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c1c716788b42310fe8045477c3ff4802

SHA1
629df3117faa4b6343528883da1c0f5a3c432fe6

SHA256
bf972cd019278926f4c96dabbd0dfe3ff623682185b1e1c5a305ac68ad96532d

SHA512
278f7b1aa7889a6d05341e08f776596b5811ebe09c2997605140975338f6725d957b2fce5a51d99e97aa8da00f3a1a0ddd15de1763c2df5795badceeea50ecfa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6c8fd983507c3ff7878d2b6d5b4d15d2

SHA1
eeb1c6d8a18e65ba14451ac5b98daf39da174d83

SHA256
d7cd970a5e1d5666b5627be28bce5e6ea9d7360d47d0daba44d43bffd6511482

SHA512
98cbee8ac3c129b0cbea8e50f574facac488f1d24bb0878dc6ae8da5e0b89f2683412d178f7643c15ee4ba8b1a17e4cbd24c81f6c282594469e3638b0bbaaca0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
400KB

MD5
06319af4a697ce61ff6e00c55f51639b

SHA1
4c3164ab204bffbd3499f2b7a8f89164d76fa79c

SHA256
050e1123109f811d6e92389cd431d360f74ae2cb7d1d513422dcae385d7fefdb

SHA512
4aa9afc9162133e387d3b496e3a6c5b90fc7dc9732ce981ee3f261730134dad391abc915d3aa1d87b29727570d7821c45e156b316e9b07a0ced868ed5466e2c2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
129KB

MD5
7e3adbe589b498a4ee55849049e5e7ec

SHA1
cd77e97e4e3e75aeb5aba9eb040898d8fae10734

SHA256
6ebdadf7856d854f4775801d966a99ecff4b5d14e50e7e9ecb758c3f0ac3a3c1

SHA512
8f9c71283ef3cf8f66e53e94093e73258d8f8f9a255cf5dc66035a0a7424ca91e5d4520c9f9234866df89de2a2db01cad1648a5cd4e12c20faed6a2bbf9de62e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
276KB

MD5
acf70d8e3ec7c787669f0df966b039b4

SHA1
20249537c0749b3d968671b6d94354b27366829a

SHA256
dff1ce25cffc3403027988b7c163b1e37e7cca6244eff4bde22a728c6cf47c8c

SHA512
30486089db6e0d001f6fac5919989edbc537a251a9a31f9e9a2079f94f00a50f10f76495c455974aeaf4659de8c2b6930ee88c1ce18184aa397c02e691553d34

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
232KB

MD5
da3371395ce15631980352046c0f3b1c

SHA1
3b80c0fc6d76eb2074e0c22ae4f6eaffb895e327

SHA256
61a69dae7d709598e5b0d78d80e5b5e3f1931e31430464ce29f664450e4fb223

SHA512
131979957b2009a5f2c58085159fb8f72fdcf84b0a886e1ec4371640caae8b1bb0a79bbc604ffb54a775c66a15f4a53abaad39ef6a7b23231d3f20e8f9bc1d47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
108KB

MD5
6c285a26ecc465df84d77de33d93489d

SHA1
ebfeace95ccb54ac5a255027f1f44dad37a84a3c

SHA256
68a1bcfb14e0a29845ab7ba8a6d3e80a4c66769308717efcb8f706a2d898e938

SHA512
5d775add9835ccf1bc9ed40fd9f7cd47f1b825ad3fdb3e09269242f599a9249db3ad772f1912ed5f8a8e4273cca985d513bd57642e7a3cb9b91b7af0c80fa5b3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
678KB

MD5
3766108ba702b6cc19d960a62c6f786c

SHA1
815aeba1d5086d1a17654506d5f8081216183561

SHA256
2f36f41d12cf0bfc31f18640880d0efcb0bc801f472cb7646994b71386d7e7eb

SHA512
bef04e723049dc02ad4eb80a13b114eb96de2b4ae5c0a85f6bbbf5a96be84e2aec09ebb7d9a817bd40c3e7090670e7191ff7eda0a1ad943823316fc5e3470eba

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
62KB

MD5
1b3049748a0ed51e9a3734ef832200fa

SHA1
23f430a0fb071f2a8f961eff9751b4cca805b919

SHA256
5bf36522876a0a211b4302a1b976d1449703a4f60cad3156c0ae3c3c881aa18d

SHA512
ee237f0afe7d8d343973bd138b08bbafbb7f52cca3c5b744067cb833794cd35312650aacec019fc0e4f726670d0b30db67e6a9a9b798fcf25b330ea49b4be2b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
318KB

MD5
2f6fd0c3df797777553b7c5a0321e394

SHA1
95b47e1df045d6a375a82c84435c2f4d31ceb673

SHA256
8bd93d4a674558777dc785fc5823738e894bf68e57e00666353ff74471025690

SHA512
e4347c2398adda6c75de41334e3f92139ae71c2ee55424cdfa7cc9473f60d8d6b84874648b8c95771aea42e0019d8ffec0b2e624387198013b613cd97c00ff42

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
125KB

MD5
7b8e46843a6a019eae68e7552d0cbf45

SHA1
c577d34ff3aa879f280717bfe39a11b33b633d85

SHA256
72330493554520053e5198ec071578d2ad8a6dcc7466c7cee82cfcd3fe101a2d

SHA512
353e32598150feb3c58d99608ede3f0101a5e48fa069b666beca0fa7bcb52536ba407e8c29050eb16e071b0c4ece0931ec64830de228428ba5415806138c1231

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
a120c4f6f553886f6be327b3f60c2d11

SHA1
f8ca8d5ba142b4520d6dc47974ea69a0a37ce654

SHA256
db8581f0a4c05b1d171dc42ce65a880d42f89f9975f6763dec732668b52a7064

SHA512
74db2f07632f2694e88313670c9a9550e595f6cfa7a45d4aa837b6255e7fdfa5d509c68426740c86c6a138bdfd17ba4c4f40a4e0973e36113bb5740fee2d2fd8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
217KB

MD5
6b5ae06d84f9f2543a4bee27256b01fa

SHA1
6bc64f57f90f824ffdf98adb3d05f0f579186d7c

SHA256
7b49e445547f8fdbb973d46d1d35b6d508750b9c6708f6e3f2b6f451098e2077

SHA512
da40e51eae07bc0af45d3c87e7cb790fcfbff818776d0af1cf4ad877de0df7a0fe53f70b89a4765822a89bd85a13b17431aabfbbea3946df9b7a09ac9d8cc0e8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
62d9b2039ca0fa0f35e1dab101e0755a

SHA1
f7d743044f61fca7f21c26e63165d16b8bce1db3

SHA256
7e86b3060edfad144a8933c17333c3eb98e2804e2c49265abb644e557bfdda33

SHA512
312b3fe4f58209e19d4606bb3f7177b85c729627e9b1a587ad8b60b317bc99a3bc76154a97e1468b6e3f84a392a5964f1ee0e430c46970dbafcce14b4307a785

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
209KB

MD5
bd771454191b5b33b78ff96814e97c6f

SHA1
80f77e5121c030293f1e2a0b08f83feede432796

SHA256
a2dabe03605bbe26b8f7833c0697ae02c4ee5df55eab70124b503e7e327196d6

SHA512
ff14c054acd8e999b76eb6359d70a751bb7efc2ccdcf2f3beb452e33e8bbef70e8b6fff4446292313a091cb5e9c7b57d3040f16f7886dd10f3d744ea9c2c6ec9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
166KB

MD5
4c1c17c27478df869710d0b5f020d7f3

SHA1
7bbf006afe9b1e18828d413ee5dc52b15239904c

SHA256
3c4f968d5c55f1a50354602676ddb2987a116138fb24ae415f3859ca8ef5490b

SHA512
8c0cbf3d48974b09dc060a044f083f96f0ede3367b81d770fde654b825b1d6376fd8e393a54875b18bd2b53e3b69a2ca30093a8560c67ad35784c82ce1b5abd9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
280KB

MD5
5e48cf5af6f42ca52f07bf6ec2dd6b68

SHA1
ce47bc1e089c3f93a564d1cce2421886fda22f83

SHA256
ec1cc1b58e055338f4e9c4eaf5c86a50ca30694ad1634961fe0e2c37bc2b848a

SHA512
ad96078e9e7511d1b30c431c3d3b61b1386ee1c649a4c880d5e80b67cd10a9d8ca223fcf9d54ce182aa7021a756a3932e914bcb3d987cd0a0f39a5aa3d684371

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
dab123aa9da04d9b3b67651d9d897602

SHA1
12571a01312ea5742c6283d53c6b1f922d3abd21

SHA256
45722333b074bc6eb0aaea174877f65ef891f8e73ca6286db033d72ec3bd8d5c

SHA512
55ea025bbb34b691ae89dc6e667972392c5f71340a18b14e9fb4206b4ab8631f43f28c82586e16bed67d23a34af20948d835811d349d4dc3a57afe8feb4d6253

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
89KB

MD5
2e8fb1724e4bc87be2babcfdb95cdc68

SHA1
ef596e6e5bf7cb8ed33f3bea3b417e1ab3b8b1d4

SHA256
1d4105a60aedb5e440714d23c8252b8501a4c7613a5147a3c180c40ebccec805

SHA512
37602e3c364cace81343106330748da7fd2eee8d62e2eaf1a78bb9da169769e9e9c1e78d3abd71f9d3b7acb65c70dd95c61f4ab52d66cb45b7f07d8dbdaaa436

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
480KB

MD5
f59ff4d996606cc74caf086b7227b490

SHA1
85b28cd1555c1b09e9bbc92417d68b321f7aa243

SHA256
8eac17758c153113e0c98debf13c30670dd21062babb58e2a051f95d784cd2e4

SHA512
8ecd5130b3280e84b8012ccf93ea2689ab0104cede660c4931e667867ed065179d4da268d6a3f8093168f51e073e955a1c34007d94f1af99b5333c1b017c9c9d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
174KB

MD5
954f467f0a8d0de9fdead8542fb11ee4

SHA1
b377c14dc85f3311e6e7ea42930a52b60761dbea

SHA256
62cf8769b1103c04225bd5ce6650f05f257815b7d69f49e680bb844d7b5bd492

SHA512
01d877c6b55212ba68e9b05c43539251c5dbf0a5c96300296c1fc2fafe489dd3e52036527bb6a73d357daf0d6533d61a08184eaa2cfad01075e3e92c12f26e17

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
125KB

MD5
cd88579ee7cb9ff292841693b4b6979d

SHA1
d714ca3f9fa879156d8ac054b5f31e15edfd1059

SHA256
493c497bd32d3557474b568bddcb6a5c3bf90a4f21aa8f11347b3969f9a4138d

SHA512
5f5a5d7999df5387829fbbb085162b010d17bc341b3995ac4ad96be03e5c2ff8deaac388c33eae0661ae4c77acfd73267ef7cfead51eab8a29c04d75d4200de7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
1a62a678f6006f63b55a8789bc20b31b

SHA1
754dd9c844df72282e01ba10bcece0cbf9bc3a4e

SHA256
3fb98169b208cb27f89d14311b9e8cbc678367f5c5fc8864d36ee6ae49a003c6

SHA512
5e606cd4e74932d63f32bad2eca4d2c874987b2c6849118a3cfd02c72b14f05eecd8f65174374782f50eb0e3c09967c3875b2f386fabe9b0759f8d173c60aa7c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
176KB

MD5
44ab1fd55e040336f5da63ceaf67a04e

SHA1
0a534310cf4bea5b07c200ee405b763e4676ac9f

SHA256
ffade4917bff7df1cb425e41c9fb02f741e466043f2bc51be0172805d5cbc9fd

SHA512
77e967a0342ba1bf9861a5ea3f784ae1567b59b28c4fcf2ed88921850d62ac3006f6d510d51d8ee3069b5b82ff6c267951b82fbfe7a5b894ccae719c349d8158

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
94KB

MD5
cf6251b4ee4f02ec0b0fb38df05ba611

SHA1
01c1557d1ef1059290d6b61ab4c6ec9a0b3c7682

SHA256
9d495a5c76f9a77f5900a576284127884230e5230183f0c6c45fdbf92f43c5c2

SHA512
c6e1e6b0046a62e9614bfccc7445548426f2b43388248519500732096ee083d2ddd514a13dda6dbcc297062005aae378990c54a20a648f56761818435cf7d831

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
30KB

MD5
1b530ff3b11991fa24c95fcb91602949

SHA1
84b830a34be1d832ad2a7f2d99f82d17b7dfe64c

SHA256
a9bf78bd38242b33b183094b47e3af904a1b87d897122c2b7eba7ca6f636e256

SHA512
419cf94656e8dc9820227f3dd0f4284bcb1315b8c20b41bd139b0328658842ab067405ca9b977798b970ed506a31608b0147519c35efc337f7ed1ebed6953aae

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
13KB

MD5
f3df5b1b05fd7dcf39cb8a3eccf43d26

SHA1
7fcbc4c6d15fc1fa37c56b272da475210f567df5

SHA256
5139f2f59d4c62f0f26c28e95700da1553c376696307e3d66ae78ab8e168daf5

SHA512
65635e774e53a988a625ff450169854bbae4f962b3e66aa7e8c3bf76d0ae033b4db548c5496f6085098d9efd3c9019e0d9f3664d1e9c116f7d20a051472853d5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
141KB

MD5
7053f1cf1fd2a855d792867f0da07117

SHA1
3876f623293bdc83c0efb49c5606a29c52a0bde9

SHA256
329f23106e0102131eee7b71f30369b98e8a5685c391b95d247d03715a70670a

SHA512
b63bf222f465812d5c9ba3d776089e7dfc98f26667fab6d30eb8dad6c5dcc9c1d21e0f350dfb1a98d72f25cc01cf11d26197c61fe98c52691681cd9ffda890ac

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
279KB

MD5
dbf9929143d12cdce09e73b21921ec6d

SHA1
5ad2e040b1ec0438d7d61a2fc7f0f3ec45f0b084

SHA256
2c884fa1b8a1607f902bde178bf34457e1b846c88aea54a5b3b284e2a55eeff2

SHA512
9ca42b78c358ceaa48bdfec45383ce7222df7c4afcbc8183e1bf563c03d5b2e0c7063bf5f8ffe2798edbd453afd5374ce19ea1c576c0e97a6c7e9f059c27980d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
93KB

MD5
a35d2f33fc87a004cd8b59083f356ac2

SHA1
1d8dab8b4473d5bbed7f6ad42412e6d113a622e2

SHA256
cf0a9e92ea36cf7f495dcbb3a3c718b82cbacd6b2ffdf6625e2cbeacac25c960

SHA512
819d934205cbff080e8afccdba6fecb91909d413ab63acefba6b590a15fb2546c66b23beb67fc49b21fcbaf3aa60fb4ff376f2ce0bcb807de9204d876a5262ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
181KB

MD5
d257e623567ca964d878c0c4b8caaf30

SHA1
5a168bb7b6c5fcc38fe52f9bcb61729bfd3b9781

SHA256
23dec14901b4e376fc2aa6cd2d13dc6eb7553859c205f1e29d3210837441c13a

SHA512
3a20e83aa00d83416d95dc82ba9b4285a4257d0ae02a697f7dbd5505711fe48c99a810e3e3b430396b7576acc0c3ceab632e4b61190b70f1494c0db2277d0a06

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
37KB

MD5
e54cc1494e46ad121f1e44ba9757e470

SHA1
07c9ef8e5ee951ebbaf9bd6164054c78387e440a

SHA256
60fadf1a6e61f8fb6d66ed0a426fa835a5a0a24511a2f443f8b111259fa64379

SHA512
80187cd07ea8db36b18abbacd80cb293485b54ab267f54c714b9147faa2e75deca3c8680a42365eab88706160f3e796f6854863e5ebefed5d154953399686d41

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
19KB

MD5
139e322a11ef4c854515127190867a45

SHA1
48acdfa892b166d5a48d0c7033b6c20e743097d4

SHA256
4a021f57e88f271e69227f6a464885b66ed9cad4c50fe88e8ff406747e81ad78

SHA512
02b068edc55297d88ba04cf21cd41dba10e409faa0549a77da0e0080cf7c3e9a7ef66b37fa5ed40d8eb7900493433b8273ccec8038e3e94bd2032bbe0fd57e08

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
310KB

MD5
e49a55630c6e9e4da7029bcaa46214c5

SHA1
a0e808e8d667c547902ebbb11a5292b53d5c2715

SHA256
b12c77ec9d8b23e879d22d56f3922378306e6e5dff45d5b703ae5facac1ff8ed

SHA512
25f56ccf8a371cf5e69f067088bb04a30021a952de22be0a224d78ed9d275c8e689f33855906a48f0f7e1857220eed87492263c2b3610d6b679f237384a9f2e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
185KB

MD5
0f9e1d1416ac60b59e594911cdce4890

SHA1
767f09d52c3ea5f980d46e01612e576229784126

SHA256
7ce6090e33fb0e327ed533d298842309a31441c4b77a304f6014bd82d6292712

SHA512
41d5255ca2536910b57a235447ead245fbb7b8f89475a6f107542dd5d5b6ee12c3c9a16b99f25308ab162f66fb363faca64a95cd5d87301d5aec6b3f928a65d8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
196KB

MD5
2463cf02eafe37a4cee39d3045cf57e0

SHA1
49fc9eac0df219d53c372e1fcefc2371845f75fa

SHA256
1ce9b5cc8452db4213072d7cc0f73dc655cf6a5d1a8cdd4ddefaab5313961110

SHA512
4bdfce4f13dc35f445ad6cb366b21e2853b069d073fa37985b9bfab80eb9b44adeeea9317b10f7eca116c7c20a5ee74c221273bd2106d87615f9c33a13be7ce3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
277KB

MD5
f3f3c13cc5dcc7fe6275d01086cc90d3

SHA1
e8a603de43c662946f8902176156b01b22eadfe1

SHA256
db9ae9cf89e56cf89d452bf7c768641b0d448547133986a34d77e4a3e48ac7d9

SHA512
ead063bf3dfd1d40935f7185fb7b8e71824b3dd2b8767587a23308ff06967a487b6fb8da95cff6b17947b76bb63ecd806a6e5aa88a24752f00fcefe7bdf3965a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
116KB

MD5
465ebe4493538c9bfd25624332cbd2dc

SHA1
3fd3b3530a8124c74f06e96553d7e575ab18649b

SHA256
a12d9cc862ef56647abd380bdf3aec5cc1348b0e2401517c2a832376dbdd14b3

SHA512
de02da1b20c10dbdf9d7f22cc95a921770f1f9b52f451f87a6f46ac1f4b24a5dd617a98b6a64914a83ae649429d4135587233acc43f0e0665e4a2bf3645ed09b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
235KB

MD5
01247a8dbc7b90b9baffd20d048eaac6

SHA1
525df0605fffe69db23de1ef21c08d714e846556

SHA256
73f5401fc9f38dafd6038aaadb6a2e4cd155f128db1de34f7f8c2b377b1acc54

SHA512
b921d5aaef86ae8e7ac28d18b066cd72ac0036b0799e15ab36fc00e4208303926f7434a35fda7bf970a00deedffa28d4fb509d8d47061e29db0a356993a8bc78

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
132KB

MD5
1af8b5316d5919b7f036110a344b905a

SHA1
bc4399d0942c02d556b1fbd5100cc839ea467541

SHA256
782c47df2a4d4ee107de901f1ad36837a676d8a13bcca90da9fa55ba7fbcada2

SHA512
544f324621ba5ad1b519f6894a3aa0041209d2d5212cf85726c5b89cf3b824d3db30ef10552765c3a802bc6b16e155dfb0e11db7e96e7f6e70833e99f1cbe709

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7b0b79476c79e5afa8551d2f9c594893

SHA1
50f7e33634a532a6a43e484f55e49d0e2e225f41

SHA256
86405d0c654465736100c7040988e2d49a272eae4647550547c298ba358f2502

SHA512
e3c1d7ff68c7fdebdf1ffddb9bf729e2c6aef93e4380527e590840293f962933eb4962f00b7c2e2f8ef1c43ab3232743fedcaf8fd916f8bc8d201bbe42b4538a

Download Submit
C:\Windows\System32\alg.exe

Filesize
905KB

MD5
dff4c33e56c5166333e99a07a5bbcc69

SHA1
b2527add61752f55b8f1519967f9c32f0ff02781

SHA256
30f471f69f6fba92056d1fcf669ffbf9bfe22f377f41cded44c7494eba80512e

SHA512
23812cebc7d9b21832cff8faf8b28c36585557227c6186c9b6fc38a86fbee9e6e937eda09aadc96f7607a2ad92bf1109e8f55b1d956a9fdd5279eb131062cf3e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
231KB

MD5
d84fedeefe5373f4a0c8a0a88febaf7d

SHA1
29b1cb2d5abeceb2979cab510e989e97b4f32b1e

SHA256
b60dc99246e149495982bd603735b4896f26d6a911ef55f713093406893ee1b9

SHA512
c718fb14f9f5152acfdb80cca91caa0a2510aaf2d3a5abab8d6150080ea28396d85a1c048a784c399107e3dcac6de09bd554624371703c1ae71ae156af3430f2

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
567KB

MD5
6c04572e168f7e7255932197d8ee0a2b

SHA1
0bc6654d123d2a85868836bfb1971867a098a497

SHA256
9cce6317d1e14e4d6eef6b64bc19baf9552168f7a0f1ee2788065e0241c73191

SHA512
847463adc51df2421cfe65d378d9ce4dae197c83fe362e5cd594bafb816cfe74cff8cba7e13a4155ad0aeb7ec62328b96d46161eb7e356275db3fb895f3b655b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
166KB

MD5
4b6cc13e51e969b098ebd57054481d4c

SHA1
3d4a33b5cdc01138d0e98b501f950c9b53ca3fc6

SHA256
42a9a80e5b4cc994618ff9b90a8a5c0d09cf728e11c41e245495f1b419181cd9

SHA512
a1943e8af59dcb059b629aabf5dceb6f4cc420eed3377b848fae8a15ea87072770e5b26f7af181f6a920d8080b952eed12b1cc603dcb4e9db6ee5ed58488aa9f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\184c5e9d8daab7686f6fc8eaef0ac19f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
9aa6a3f5ceca4bfadedd394abf6551a6

SHA1
d72f3d59f291485c88f51ba26133f0884a8635f5

SHA256
a117cfdcdbc5f485435cfc5ec99c04e258d0cbb2dfcde3378a716c364ea1ffef

SHA512
1263ad8dec5ae467189bf158f8868d5ca2ed1531f52eba5891239f4e689623de02f4de96a1aab6de83c4742ee3ae734c5aaa73b6c1a794c06ae256a113c8c54d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\19e25da52dad67de5a5ef024d3577fcd\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f321a89b68b6efaea83464956fbb8638

SHA1
44f852a1fedbb8574da9700dea70d1b8a24adbb9

SHA256
83fe98a815798334bf0ab9f28203ffe68af15fb7edd4f82314e317e320494a0b

SHA512
791e4ed12ec701a817fbc5ee017494c5e9b7bdd39e2bee84febe47ce62ed3d4391acc34f4dad1b2abde86247dc151763328362adfeff9ad2f17a7fa62f0a035c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\98c392523f0d12aab64b7a25da464d9f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
0eb69364869fbc3917cf4aff6affcd98

SHA1
6ef1fba78f261fe7aa92836c6a7eb2e48f19d351

SHA256
c30fede5c17d681bdba5e47239bb28385eafb2d76aa1ecc5cfca922bcdb892d8

SHA512
abf44a6f6c815968281736a4f9cbc390b7f2e40592321d8c0e77ccee0ad80612afa1f2b8ceaaad082aa898dbd17caf6d3d6de295b71a2ce642a4e21d38cb686d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f9c90307cca39537beebd8e2571ab2b3\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
8164240c78aff7cd029bc5b18486e4e9

SHA1
0dab528517b20f9b152506a795ebcb4b5a21fc46

SHA256
edd476461cbe32511905356f28ac0d3061efde237555ca70359c69300f1711dc

SHA512
622eea89149fab1f85d7d9622d1aab701a35ca59c0fb1f01b880a6e17eafe127ee836081cf5a5dc40a0840d9f4ffd3083dd2794c88a9d090033828fda547a854

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
9ca856155a5273d57b145f6cb6f94a6a

SHA1
9920e9fbec9d4d3134d56c43e35f6c60d87792d7

SHA256
4df10723f07e0aed461b863a866dcdb9c4ee776c84506c049f8efa505c7f188a

SHA512
a7c6397a955e7928222c664e01b5e39ed7e176b40499fce90198aa2a5b28ad69ae972ffa57f4136b0c4f01217a163f87653206f25088f95ffa4682b4e50a0d88

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
193KB

MD5
4c6fd403138ab3341503568f5ec086cc

SHA1
7fdd411bc881d9ccca81a207bee52614ec2211b2

SHA256
24e41628ae01b8954b193100e419372740bd92849c85177d9cce7508448b74ed

SHA512
86e45daff97f8b8a87a11914e14c614424e3fdfe2f16728992a1a66ab916fb2b0776c7d2cdc0852fa280c363b8c4e2e74ede97cb02dfba1e66fd37ca0df95815

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
161KB

MD5
d00e943bbc663840b3418e310f2d3c47

SHA1
bc2192b0845d07b4a5073abaf329320c8cc21f83

SHA256
d39340eabe94beb3d681d4f235e6ad2eebad25d26a7217acc05234a7cfb703ee

SHA512
961f25be41fdd41b0a861cfbd360dd0998aab05af1d1c94acd75ab889179da50458e2d005a027c2a6f7c3fe75fd3e6b3dbc2bd744d881c1666ae177ecc5d6785

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
72e301cfb8160fbec0cfa51bfcd12da4

SHA1
f8179e07dba91e1b945d472f46ec0cf571b84cc1

SHA256
76c6783addde9184ff0f6f2adb241ed6bf6dc7e8a5536807fa54f04cf448b8b3

SHA512
9b70556d22bba30ccfd8ca818c5731b73de851f23f04e749e27414afab8c4907cc100675e3451f29b3d97864f1e376f78abce45e6ef0f4754d1dc9f0a9154533

Download Submit
C:\Windows\system32\IEEtwCollector.exe

Filesize
1.4MB

MD5
6ff8502c3d496940522941207e905d78

SHA1
c17416931f317d99cd5a6d0dbe0a110aadce341a

SHA256
aa308a13beba1e6bffbd9aa72224537e3bd946e0808c8bfa8ae9c7ca9e3357f6

SHA512
fa21acd9e5f4edc634753b83f0149761e6ac77618cf4a136ed0eb590f31d0112884676c858ae3b6c6d3794015d5e8fb6f497b3d3658bd1c74cc93a9d90798c04

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
101KB

MD5
d81155df4c35a296770626c143c448de

SHA1
01817b2c988fd9f3e7db8f7bd775231aff32f301

SHA256
2390574b2481a153b518487f366158eda4c36df870ef1c55d3a07536349eef05

SHA512
ea39550435d6db52e7ed03caed0413468fa8f75d89ff47a4a5b4e9f00b1551fe1b610775a6bf34191012565922bc3fcd19934069d04fd140e289b09a6242b81f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
187KB

MD5
66e87aeefd53c33e44b290a7de68c1a2

SHA1
89d06ea3c81cd935519a55d6f8c960d5ddff9fb1

SHA256
f62a2a57f365c33d4cca544201bbb15860d57f5ea98f099b33913a287cc7f1dc

SHA512
eb385374e174691f9f4b106fb6c2367e41c20816767a5bf5df833e6758c867bc34622662c2d5cdac1c78dc5c38ee89ea076b6d6ab4a941cc6264ebc1dc49d3d5

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1022KB

MD5
63334fa39c41aceab8d52ec3a382ac9b

SHA1
9fb170c6acff9350e7037d216d0618919a76229d

SHA256
2ce6bfd59507d4c955db510486d854ee179926ba9e7a70690c0c66ba68f1a0ce

SHA512
b15ff5b576f3b550d70597e98c9cfc39e94fb4fe41905f9db1151307751290b20c68ba8f6bf90e22decf2244adab4aa33948efdc42ba0758af9e56a6533e9648

Download Submit
\Windows\System32\alg.exe

Filesize
750KB

MD5
db884800eef5c3925ef64f417a503194

SHA1
47aece888037e3986b2e38a05db6bbb8b7a0d4e6

SHA256
e3a9959499fb5187ab51bccff6673097399adc6aeb002f3cebf40bdab64266fb

SHA512
98eb678a32bad545397f3131f7d8a1d82e5a57f8ebfe6ac7587dba2c0c47454c915cc8e3b44b8bf349741684743cd5be14ccf390c1e96388ecf91ef66c4ee129

Download Submit
\Windows\System32\dllhost.exe

Filesize
307KB

MD5
c43f3b1da988707759d0b9daf64542a1

SHA1
c271c1f5d820a76949071c5764a82c4de8935c19

SHA256
3c3f9fe0f2aec6827d8e441fbe41357a152a370b18e18ca99e0d0ad6df4ec2d2

SHA512
b38bbcad5246de1ad0f44d9d789c3d85082c67229cdd2f086ce0ee35810fb5a8b2d96f5dca9b07c99e714ed187d645fa5bd91793cfa30f87fcdd48767b71ebac

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
392KB

MD5
80049fa2059136ffe363833aec0b8a90

SHA1
89fa35143a32b32bdbe22a45226f0275d19cccc3

SHA256
1f8b756aa96ff8e6a8de0aed6aef6e82d1027905d3e1a7ee00cb24850d2c2e43

SHA512
db4c6aca31e00d84ec528aa566668ae891edf3583c2663e82404f82541798fc5a9c7c873a0a3392c7cc78fecd7c929ce865725eac49a9d108525ed4d0ba3f87e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
255KB

MD5
aa1cf7c322e7859de005bdc43d71a44d

SHA1
786e8e8f82963c05be885a2faf946b0913fd6452

SHA256
6a9aa0cdeadb7724a25b9194492f6ce54643d4fb2f3eaa4f32f8fff7932b56f6

SHA512
1e486123d26343aca157acdaa744ccd113fefda97737681220bbf6145ed5828d0a8f69e8041455e9da3d9e9c3cd8b80e3619e387b0ba26711ba68307c54d08a9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
136KB

MD5
1b9b579c90fe6c9af57743e3787aa5f3

SHA1
bec4613fa85d9b7c6a1bfcfccecf2523e0ec3871

SHA256
8af5a0da9bbc5b0990c594d9387df567f37d34305ae954b4201658ea60205385

SHA512
c8c2328de8e308b45442b9d0ac395a5eb014d38b778843ccad6b4a9bccd84347c6d1eac3f8284dcb7b25790a5e7b4c9f3b215898a5b124803530890d9e2997b4

Download Submit
memory/108-136-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/108-114-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/368-201-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/368-134-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/368-127-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/368-128-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/804-176-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/804-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/984-228-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/984-229-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/984-364-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1020-2-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1020-7-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/1020-142-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1020-0-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/1020-312-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1032-328-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1032-450-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1032-317-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1048-236-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1048-347-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1048-350-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-343-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-426-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1048-214-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-212-0x000007FEF44E0000-0x000007FEF4E7D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-213-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1048-434-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1236-160-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/1236-17-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/1236-16-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1236-38-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1504-454-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1504-484-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1504-498-0x0000000072B00000-0x00000000731EE000-memory.dmp

Filesize
6.9MB

Download
memory/1504-436-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1504-468-0x0000000072B00000-0x00000000731EE000-memory.dmp

Filesize
6.9MB

Download
memory/1540-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1540-190-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1540-198-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1540-326-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1700-169-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1700-232-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1700-173-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1700-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1700-168-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1700-172-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1700-179-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1716-476-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1716-344-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1716-335-0x000000002E000000-0x000000002E196000-memory.dmp

Filesize
1.6MB

Download
memory/1740-519-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/1740-512-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1912-215-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1912-216-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2056-372-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2056-353-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2056-490-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2056-374-0x0000000073FC8000-0x0000000073FDD000-memory.dmp

Filesize
84KB

Download
memory/2056-367-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2112-177-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2112-185-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2112-319-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2112-181-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2456-502-0x0000000072B00000-0x00000000731EE000-memory.dmp

Filesize
6.9MB

Download
memory/2456-478-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2456-483-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2504-314-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2504-235-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2920-221-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-150-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2920-145-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-143-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3036-124-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/3036-104-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3036-99-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3036-98-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download