0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
Size

1.8MB
MD5

bfb557231198ddfd1a8dc8d246b0db8b
SHA1

98535a5829bd6e1a314bdc0812f7f33c352bba40
SHA256

0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db
SHA512

759c537f734e51ebbaf1af84c17a033bd0a6366b6721f97b3e549bb31a5ed7483fadeaf27ccbbf228fff0d103fd44bb018a5d67af1b35f8f619d600f16d4b0b5
SSDEEP

49152:wKJ0WR7AFPyyiSruXKpk3WFDL9zxnSF/i3da1YS6ozB:wKlBAFPydSS6W6X9lnO/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
1504	alg.exe
2504	aspnet_state.exe
2312	mscorsvw.exe
2196	mscorsvw.exe
2776	mscorsvw.exe
1608	mscorsvw.exe
1440	ehRecvr.exe
2260	ehsched.exe
1088	elevation_service.exe
616	IEEtwCollector.exe
2880	GROOVE.EXE
1196	maintenanceservice.exe
2656	msdtc.exe
2308	msiexec.exe
2716	OSE.EXE
2480	OSPPSVC.EXE
1408	perfhost.exe
2944	locator.exe
2988	snmptrap.exe
336	dllhost.exe
1588	mscorsvw.exe
2828	mscorsvw.exe
488	mscorsvw.exe
2796	mscorsvw.exe
1280	mscorsvw.exe
2888	mscorsvw.exe
2844	mscorsvw.exe
2404	mscorsvw.exe
2224	mscorsvw.exe
1580	mscorsvw.exe
2164	mscorsvw.exe
2020	mscorsvw.exe
1528	mscorsvw.exe
1660	mscorsvw.exe
1316	mscorsvw.exe
2312	mscorsvw.exe
920	mscorsvw.exe
940	mscorsvw.exe
2712	mscorsvw.exe
1556	mscorsvw.exe
1528	mscorsvw.exe
784	mscorsvw.exe
1876	mscorsvw.exe
1668	mscorsvw.exe
1832	mscorsvw.exe
2176	mscorsvw.exe
3000	mscorsvw.exe
2760	mscorsvw.exe
2636	mscorsvw.exe
2712	mscorsvw.exe
2888	mscorsvw.exe
1404	mscorsvw.exe
2116	mscorsvw.exe
2220	mscorsvw.exe
2696	mscorsvw.exe
2176	mscorsvw.exe
2684	mscorsvw.exe
2936	mscorsvw.exe
3044	mscorsvw.exe
2552	mscorsvw.exe
1720	mscorsvw.exe
1112	mscorsvw.exe
2152	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2308	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
2712	mscorsvw.exe
2712	mscorsvw.exe
1404	mscorsvw.exe
1404	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
2936	mscorsvw.exe
2936	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
1112	mscorsvw.exe
1112	mscorsvw.exe
1316	mscorsvw.exe
1316	mscorsvw.exe
2676	mscorsvw.exe
2676	mscorsvw.exe
980	mscorsvw.exe
980	mscorsvw.exe
784	mscorsvw.exe
784	mscorsvw.exe
812	mscorsvw.exe
812	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
1028	mscorsvw.exe
1028	mscorsvw.exe
2228	mscorsvw.exe
2228	mscorsvw.exe
1280	mscorsvw.exe
1280	mscorsvw.exe
1740	mscorsvw.exe
1740	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
2820	mscorsvw.exe
2820	mscorsvw.exe
2088	mscorsvw.exe
2088	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
1016	mscorsvw.exe
1016	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
2228	mscorsvw.exe
2228	mscorsvw.exe
2384	mscorsvw.exe
2384	mscorsvw.exe
332	mscorsvw.exe
332	mscorsvw.exe
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\9a5b988756fe8faa.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\System32\vds.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\vds.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\system32\locator.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_fil.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\psmachine.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_ml.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_sr.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\GoogleCrashHandler.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\GoogleUpdateSetup.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_it.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_cs.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_zh-CN.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7FC.tmp\goopdateres_ms.dll	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9888.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7FCA.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B4E.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8AF1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1344	ehRec.exe
1088	elevation_service.exe
1088	elevation_service.exe
1088	elevation_service.exe
1088	elevation_service.exe
1088	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: 33	1824	EhTray.exe
Token: SeIncBasePriorityPrivilege	1824	EhTray.exe
Token: SeDebugPrivilege	1344	ehRec.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeSecurityPrivilege	2308	msiexec.exe
Token: 33	1824	EhTray.exe
Token: SeIncBasePriorityPrivilege	1824	EhTray.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeDebugPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeDebugPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	2776	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe
Token: SeShutdownPrivilege	1608	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1824	EhTray.exe
1824	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1824	EhTray.exe
1824	EhTray.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1080	SearchProtocolHost.exe
1080	SearchProtocolHost.exe
1080	SearchProtocolHost.exe
1080	SearchProtocolHost.exe
1080	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe
2948	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1588	2776	mscorsvw.exe	40
PID 2776 wrote to memory of 1588	2776	mscorsvw.exe	40
PID 2776 wrote to memory of 1588	2776	mscorsvw.exe	40
PID 2776 wrote to memory of 1588	2776	mscorsvw.exe	40
PID 2776 wrote to memory of 2828	2776	mscorsvw.exe	41
PID 2776 wrote to memory of 2828	2776	mscorsvw.exe	41
PID 2776 wrote to memory of 2828	2776	mscorsvw.exe	41
PID 2776 wrote to memory of 2828	2776	mscorsvw.exe	41
PID 2776 wrote to memory of 488	2776	mscorsvw.exe	43
PID 2776 wrote to memory of 488	2776	mscorsvw.exe	43
PID 2776 wrote to memory of 488	2776	mscorsvw.exe	43
PID 2776 wrote to memory of 488	2776	mscorsvw.exe	43
PID 2776 wrote to memory of 2796	2776	mscorsvw.exe	46
PID 2776 wrote to memory of 2796	2776	mscorsvw.exe	46
PID 2776 wrote to memory of 2796	2776	mscorsvw.exe	46
PID 2776 wrote to memory of 2796	2776	mscorsvw.exe	46
PID 2776 wrote to memory of 1280	2776	mscorsvw.exe	47
PID 2776 wrote to memory of 1280	2776	mscorsvw.exe	47
PID 2776 wrote to memory of 1280	2776	mscorsvw.exe	47
PID 2776 wrote to memory of 1280	2776	mscorsvw.exe	47
PID 2776 wrote to memory of 2888	2776	mscorsvw.exe	48
PID 2776 wrote to memory of 2888	2776	mscorsvw.exe	48
PID 2776 wrote to memory of 2888	2776	mscorsvw.exe	48
PID 2776 wrote to memory of 2888	2776	mscorsvw.exe	48
PID 2776 wrote to memory of 2844	2776	mscorsvw.exe	51
PID 2776 wrote to memory of 2844	2776	mscorsvw.exe	51
PID 2776 wrote to memory of 2844	2776	mscorsvw.exe	51
PID 2776 wrote to memory of 2844	2776	mscorsvw.exe	51
PID 2776 wrote to memory of 2404	2776	mscorsvw.exe	52
PID 2776 wrote to memory of 2404	2776	mscorsvw.exe	52
PID 2776 wrote to memory of 2404	2776	mscorsvw.exe	52
PID 2776 wrote to memory of 2404	2776	mscorsvw.exe	52
PID 2776 wrote to memory of 2224	2776	mscorsvw.exe	54
PID 2776 wrote to memory of 2224	2776	mscorsvw.exe	54
PID 2776 wrote to memory of 2224	2776	mscorsvw.exe	54
PID 2776 wrote to memory of 2224	2776	mscorsvw.exe	54
PID 2776 wrote to memory of 1580	2776	mscorsvw.exe	56
PID 2776 wrote to memory of 1580	2776	mscorsvw.exe	56
PID 2776 wrote to memory of 1580	2776	mscorsvw.exe	56
PID 2776 wrote to memory of 1580	2776	mscorsvw.exe	56
PID 2776 wrote to memory of 2164	2776	mscorsvw.exe	58
PID 2776 wrote to memory of 2164	2776	mscorsvw.exe	58
PID 2776 wrote to memory of 2164	2776	mscorsvw.exe	58
PID 2776 wrote to memory of 2164	2776	mscorsvw.exe	58
PID 2776 wrote to memory of 2020	2776	mscorsvw.exe	59
PID 2776 wrote to memory of 2020	2776	mscorsvw.exe	59
PID 2776 wrote to memory of 2020	2776	mscorsvw.exe	59
PID 2776 wrote to memory of 2020	2776	mscorsvw.exe	59
PID 2776 wrote to memory of 1528	2776	mscorsvw.exe	70
PID 2776 wrote to memory of 1528	2776	mscorsvw.exe	70
PID 2776 wrote to memory of 1528	2776	mscorsvw.exe	70
PID 2776 wrote to memory of 1528	2776	mscorsvw.exe	70
PID 2776 wrote to memory of 1660	2776	mscorsvw.exe	61
PID 2776 wrote to memory of 1660	2776	mscorsvw.exe	61
PID 2776 wrote to memory of 1660	2776	mscorsvw.exe	61
PID 2776 wrote to memory of 1660	2776	mscorsvw.exe	61
PID 2776 wrote to memory of 1316	2776	mscorsvw.exe	63
PID 2776 wrote to memory of 1316	2776	mscorsvw.exe	63
PID 2776 wrote to memory of 1316	2776	mscorsvw.exe	63
PID 2776 wrote to memory of 1316	2776	mscorsvw.exe	63
PID 2776 wrote to memory of 2312	2776	mscorsvw.exe	65
PID 2776 wrote to memory of 2312	2776	mscorsvw.exe	65
PID 2776 wrote to memory of 2312	2776	mscorsvw.exe	65
PID 2776 wrote to memory of 2312	2776	mscorsvw.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe
"C:\Users\Admin\AppData\Local\Temp\0fc4d5d63e5005bcaa7e123e248694bb23a839aa9451c6db2c4b094e83fbb2db.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 234 -NGENProcess 1e4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 1e4 -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 1e4 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 23c -NGENProcess 2fc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2e0 -NGENProcess 31c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 324 -NGENProcess 2fc -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 318 -NGENProcess 364 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 35c -NGENProcess 2fc -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 360 -NGENProcess 36c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 370 -NGENProcess 2fc -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 308 -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 37c -NGENProcess 234 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 374 -NGENProcess 370 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 35c -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 234 -NGENProcess 388 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 388 -NGENProcess 380 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 370 -NGENProcess 394 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 380 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 398 -NGENProcess 388 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 398 -NGENProcess 368 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 2e4 -NGENProcess 3a0 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 234 -NGENProcess 20c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 348 -NGENProcess 1f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 374 -NGENProcess 20c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 390 -NGENProcess 360 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 234 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 288 -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 234 -NGENProcess 358 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 358 -NGENProcess 1e4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 320 -NGENProcess 390 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 234 -NGENProcess 2bc -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 360 -NGENProcess 244 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 354 -NGENProcess 2bc -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 378 -NGENProcess 2d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 318 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 28c -NGENProcess 390 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 25c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 364 -NGENProcess 2fc -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 2fc -NGENProcess 2b4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2d4 -NGENProcess 324 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 28c -NGENProcess 3a4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 3a4 -NGENProcess 2b4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 3a4 -NGENProcess 28c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 378 -NGENProcess 3ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3b4 -NGENProcess 28c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2b4 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3a8 -NGENProcess 3c0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 38c -NGENProcess 384 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3ac -NGENProcess 3cc -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3cc -NGENProcess 244 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3ac -NGENProcess 3bc -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d8 -NGENProcess 370 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3e4 -NGENProcess 378 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 368 -NGENProcess 3c4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 244 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 370 -NGENProcess 3d0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3d0 -NGENProcess 3f4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f4 -NGENProcess 3fc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 410 -NGENProcess 41c -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f8 -NGENProcess 420 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3f8 -NGENProcess 40c -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 378 -NGENProcess 428 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 420 -NGENProcess 42c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 40c -NGENProcess 434 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 428 -NGENProcess 438 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 410 -NGENProcess 434 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 440 -NGENProcess 40c -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 440 -NGENProcess 410 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 3f4 -NGENProcess 448 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 3f4 -NGENProcess 438 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 444 -NGENProcess 450 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 42c -NGENProcess 438 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 458 -NGENProcess 3f4 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 45c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 460 -NGENProcess 3f4 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 448 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 444 -NGENProcess 46c -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 378 -NGENProcess 46c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 478 -NGENProcess 438 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 47c -NGENProcess 458 -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 378 -NGENProcess 488 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 480 -NGENProcess 458 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 484 -NGENProcess 490 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 494 -NGENProcess 458 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 494 -NGENProcess 49c -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4a0 -NGENProcess 4a4 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 3f0 -NGENProcess 49c -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 498 -NGENProcess 4b0 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4b4 -NGENProcess 49c -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 4ac -NGENProcess 4b8 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4b8 -NGENProcess 440 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 47c -NGENProcess 4c4 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 40c -NGENProcess 49c -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 494 -NGENProcess 49c -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 494 -NGENProcess 49c -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4b0 -NGENProcess 49c -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4dc -NGENProcess 4d0 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 4f4 -NGENProcess 500 -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 504 -NGENProcess 4d0 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 504 -NGENProcess 4f4 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 4f4 -NGENProcess 4d8 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 4ec -NGENProcess 518 -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 500 -NGENProcess 520 -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 50c -NGENProcess 49c -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 520 -NGENProcess 4fc -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 520 -NGENProcess 500 -Pipe 510 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 440 -NGENProcess 534 -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 4fc -NGENProcess 53c -Pipe 528 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 520 -NGENProcess 4e8 -Pipe 540 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 544 -NGENProcess 49c -Pipe 524 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 54c -NGENProcess 53c -Pipe 548 -Comment "NGen Worker Process"
  2⤵
  PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 4dc -NGENProcess 508 -Pipe 554 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 4dc -NGENProcess 54c -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 520 -NGENProcess 518 -Pipe 534 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 53c -NGENProcess 568 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 560 -NGENProcess 518 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 53c -NGENProcess 558 -Pipe 56c -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 4ec -NGENProcess 4e8 -Pipe 560 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 570 -NGENProcess 580 -Pipe 520 -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 570 -NGENProcess 57c -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 508 -NGENProcess 58c -Pipe 584 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 508 -NGENProcess 530 -Pipe 57c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 588 -NGENProcess 594 -Pipe 568 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 588 -NGENProcess 518 -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 590 -NGENProcess 59c -Pipe 544 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 594 -NGENProcess 5a0 -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 518 -NGENProcess 5a4 -Pipe 570 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 558 -NGENProcess 564 -Pipe 598 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 564 -NGENProcess 4ec -Pipe 5a0 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 564 -NGENProcess 558 -Pipe 594 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 558 -NGENProcess 578 -Pipe 4ec -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 5c4 -NGENProcess 5b0 -Pipe 5c0 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 58c -NGENProcess 5bc -Pipe 5c4 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5bc -InterruptEvent 590 -NGENProcess 5d0 -Pipe 5a8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 5dc -NGENProcess 590 -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5dc -InterruptEvent 5e0 -NGENProcess 5b0 -Pipe 5d4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5bc -InterruptEvent 5e0 -NGENProcess 5b4 -Pipe 5dc -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f0 -InterruptEvent 5cc -NGENProcess 5f4 -Pipe 5bc -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f8 -InterruptEvent 5e4 -NGENProcess 5fc -Pipe 5f0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ec -InterruptEvent 5b4 -NGENProcess 600 -Pipe 5f8 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ec -InterruptEvent 600 -NGENProcess 5b4 -Pipe 604 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 5ac -NGENProcess 5d0 -Pipe 5e4 -Comment "NGen Worker Process"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 614 -InterruptEvent 5f4 -NGENProcess 618 -Pipe 578 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 5d0 -NGENProcess 564 -Pipe 5b8 -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 5d0 -NGENProcess 5cc -Pipe 60c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 600 -InterruptEvent 5d0 -NGENProcess 5cc -Pipe 5ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 5b4 -NGENProcess 564 -Pipe 618 -Comment "NGen Worker Process"
  2⤵
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 634 -NGENProcess 610 -Pipe 630 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 63c -InterruptEvent 608 -NGENProcess 5e8 -Pipe 620 -Comment "NGen Worker Process"
  2⤵
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 640 -NGENProcess 5b4 -Pipe 62c -Comment "NGen Worker Process"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 638 -InterruptEvent 640 -NGENProcess 5b4 -Pipe 628 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 640 -InterruptEvent 5b4 -NGENProcess 610 -Pipe 600 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 654 -NGENProcess 61c -Pipe 650 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5b4 -InterruptEvent 11c -NGENProcess 120 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 644 -InterruptEvent 638 -NGENProcess 61c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 688 -NGENProcess 694 -Pipe 68c -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 680 -NGENProcess 638 -Pipe 6a0 -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 6b4 -NGENProcess 688 -Pipe 6b0 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 608 -NGENProcess 11c -Pipe 648 -Comment "NGen Worker Process"
  2⤵
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c8 -InterruptEvent 5e8 -NGENProcess 6cc -Pipe 698 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6cc -InterruptEvent 6b4 -NGENProcess 694 -Pipe 6ac -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6b4 -InterruptEvent 6d4 -NGENProcess 688 -Pipe 6d0 -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6d8 -InterruptEvent 6cc -NGENProcess 6dc -Pipe 6b4 -Comment "NGen Worker Process"
  2⤵
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6b8 -InterruptEvent 608 -NGENProcess 6c8 -Pipe 5e8 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 6e8 -NGENProcess 688 -Pipe 6e4 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c4 -InterruptEvent 6cc -NGENProcess 688 -Pipe 6e0 -Comment "NGen Worker Process"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6cc -InterruptEvent 6f4 -NGENProcess 638 -Pipe 6f0 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6f8 -InterruptEvent 6c4 -NGENProcess 6fc -Pipe 6cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 680 -NGENProcess 704 -Pipe 6f8 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 708 -NGENProcess 6fc -Pipe 6ec -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 708 -InterruptEvent 710 -NGENProcess 688 -Pipe 70c -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c8 -InterruptEvent 680 -NGENProcess 714 -Pipe 708 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 718 -NGENProcess 688 -Pipe 704 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 718 -InterruptEvent 71c -NGENProcess 638 -Pipe 6b8 -Comment "NGen Worker Process"
  2⤵
  PID:3000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2196

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2716

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:336

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1900

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Modifies data under HKEY_USERS
PID:960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
PID:2000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1080
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
92KB

MD5
3fa442c0b4d29c241e74b6098f7595c7

SHA1
53c585aba3da3f50d62c1ee7d0c75ba8c83eee4e

SHA256
c596602e3e76771a25176f2e07a9dfed35975238345bc693c726f0d152489d2e

SHA512
61b6e2c16a2b528e831aa6b9d65da737109de2538db6c6a2d6bf532603e33511927d3cc75e9bf95a63914c91fc6238f1791b57735128a6732d8b0164a4b59ea5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
71KB

MD5
a4f723113bc12093f006bd69f22dba4c

SHA1
aa883be028428f77d59980987ff07d9ccfbbc515

SHA256
ed7db574d2012963a7725060f02c61ea0fd456aaea99516576a1a166fe6bf762

SHA512
8ab56696ad9a4ad02bf8f47247d7d82e7728d0375f6c8b6ed52fdacabe953c09d72807384e1b0230b7de47c60d86a751ac590e16b74bad91a30825d017d142e9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
84KB

MD5
c7e7f361180a36af9cf98f0b10ca0255

SHA1
e9df780ec0c31a936e588d6323bf56c4e63d043f

SHA256
90e87656801c2a6f22f29c4faf37d8e8c62ad9a1c752c6c01ffa5b4c77ec2693

SHA512
e4b904a566d2ecdb8d69281de4282ae2a9165abc2c54fb3efd840f9682c59202cc3c8801cd5b5825254ddb86677a57dfb0bcfc7ef26696de938f4d417b0073b4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
24KB

MD5
747d4ff5a153a89ef1009c966bfe5cf6

SHA1
a978d7546dede45af4971dee9a0ede7aa1b24104

SHA256
2dfbbce1c69bb2a13d4c11ba3374e6614743563f2e2980fd8faa8dece78167ff

SHA512
0b0ab6ffd2e31cb5026b2fe217df52d0c46434b46e829c2e797e45e587eaaec40033ae3df4a4f815f2de5eb98dac59fc2b93f77d4b48ee2f1da7d510b551eafb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
144KB

MD5
797ef95c8871170287ce336749323d7b

SHA1
8d6b83d70dc25d10c71b6407d39514943d12d3a0

SHA256
13d77855beb1ed0c80f3f440c6a8c2cf3ab65c4521d4ec805c09be101f567f69

SHA512
ddff42e3115a02a0a687e53581877b8cb0e26f7f70d1995aeb45aa71e83ab79675ce29e573e4302fb00e5e204ed31925f47dad09025ba8326de51bfb6c7715bc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
363KB

MD5
870b579e6befabaac399d9266a954835

SHA1
d8d9d3e4578a014f5ccc7f62ab2ccac511f07c44

SHA256
e5d29c27ce86d8228a79745f2ea6351ee6ac89e5633b5634212ded6a62d1be33

SHA512
e96199ebbaab0abf64ba91e012c87357b95b9f18c50b005b88f0b95965ebf81e61595a88670e242c33022e674780d0de3f55eebbddfacb3d718659f8bda120d5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
797286f6bd275073e20ba1d6dfc4ff1d

SHA1
1f889d4ed1188976f33ea15dd44f652dfe1225c0

SHA256
b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459

SHA512
6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
85KB

MD5
40d5d01c4a6197a3a5d934e2aa8b4e35

SHA1
647fe28b073bdc39ebc32edf129fa13f6919d927

SHA256
f3e2f5f04f0c38e156b5ec02812be310919091df6d5cf19b7dc22f680e932593

SHA512
4b1f112ec3534bd8786af6afea98bb419100efdb2a8952251e01dca7f0c99f280058e5480308b98c52c4bad9057b8448fb6b8cfc3ac6501ec44178a5b8d75270

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
50KB

MD5
408126ffe07e4b60825dd2d972019fd4

SHA1
ab98146b0064a3fe81192733d7688ede83fe3642

SHA256
45bfdee6c90534af981427f8717d302379594f4d26bf70be69df95def16b6432

SHA512
bfd3ae3738c0cb839a4da7df498c8a097abe5eb465fd181675df96e881d2a9ea8878989a6d02a1b3c39324e6f5eeea30cefb5259fd7967e682678cda7b4d73db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
44KB

MD5
fe39b62561008e8bc2b948af523411aa

SHA1
82863ca0306629fad65b4b5932ea70f14f743eff

SHA256
8d2949b2d6b8e7204a66c783dda2164181f5b1a95cdb5f6d01445afc90135de0

SHA512
524f900c1628d1cdc517acce6840c79719a00eb636a0d8b37479c2c3b25efea1f0c6d326cde02b944af686f861a1f090e0aa5d9f8dc961bb9f08d6e5c5fb3c35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
155KB

MD5
fdefd4ddf03fc110b2a3240222c0d472

SHA1
b17f0f9442c4976a0b4c00cb5694b44426dafd66

SHA256
28f24faec5d9b52649290b72f63af678f90c81015b8728cb9dfac663e19ff6d7

SHA512
00d736f775e52f026f9a75e67482d1a7af3ce524e96ad6ae4fd31e8d80b481a95fcb7eb47626bae93e4b2135379d9bb8c206be17ba8e4cfc153a1ef7c666b7f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
254KB

MD5
56f9ebb8378737197a6049483086cece

SHA1
0e0267be3d55fbcf0262b327003ac4ca4b05d2bc

SHA256
e466bc49748b1ac249a33ebf65c3477e205b9e5ba1b74899f582d9d08c06df6c

SHA512
c31b337e2c8d8c580f13d21f4d71f79d300fb2da5f72d7fff9feaaef582f7d836184f88f30b58be8d946acf11c8dad47e7daae10cab116019862235b7141a681

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
198KB

MD5
ebad725799f34130271ee723556cbce2

SHA1
7cddd0e8c19610526752bbcbdccfbf1072818a31

SHA256
92009e4276b375c6c0e52b6d545dec5e84fc6c94244eedcd9d5ef2920b8a0184

SHA512
3e50a9a5926f06929e9d5e087b442714395318ae90f8e4f250a2b58eaf99f13d673112b0326811c28987f6a30ac1e6b3229c6541d28aa8441873b433f9cfc056

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
348KB

MD5
e7ee115fa373a951d7cd4d60166d1ec0

SHA1
87aa38f09b4b2ae536ff86d5d86eca6d6fb64810

SHA256
de254f80301a026681c5c58ab3c2713cf6db0ee97584f0b5423bed003ef571f0

SHA512
64a0e1a93ff42ec0e23da4c25bccade9963cf973530630b6cf7c9de3790b4ed3064ba5360b5eecb366392b2a81cd7767c296d73ac8eea79d214e6e1417a9839e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
390KB

MD5
dd85217b8fd5f2e0e9ec2994a038eb3d

SHA1
bba48222bfaaf85bb8b11437135f118b22c2287e

SHA256
c3aabe662bf4e4b114496230f63e3f6e31bc17634448d08d1f07549c53840c64

SHA512
f5cc62d3f9bb5c1231014bdb19ac27f1b0bdb71ee7e2df15731fab3a5573cdbca2f90132fe7e08bfd60db84e2bb1845e4fc0fef149bac1bd6c76cfd84dae4ed1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
77KB

MD5
c8a4938bc89be1e8fab16538ccc04ed6

SHA1
b630113c308cf1790a0f16a8bfee399ba007e7b2

SHA256
5d91b694db95c9aac4613ae8309946db0bf1f8bfd5f7feaf11094c6a68f1f812

SHA512
2569fcff1de497e29189e5a0a79ce7da314aa8c1c06b5560a1416e4a611c19760388ffe4eb3738d68cfd9517400b4ca2ede9a40166435ad99abbe42ad8c8ea2d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
9KB

MD5
0dadbe73590ad26f7f6bf61be913292d

SHA1
5d7c86b21ee2e353158713ff89117ae5153311e4

SHA256
e7f6ec2c944a24ddf9b7b6a4fd3eb4bf04e912e2f9e532c95629712fedb0663b

SHA512
69f085add1812d537fad2bc1fdd46299ace0beef635b31229f343881789eff8334d0347ebd0a1126ab4ec6cb9077d24b5e369d641b7e8ad8aab7b3646208edd2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
178KB

MD5
fe09947591db0fb48a6d311e5f255182

SHA1
c5a4b234c68bd96466a5af3a6a07e76c0672cd38

SHA256
33a2d7476333750304d87c9d67d02ad9ef9bb29a37d67ddec3dfd39d01703411

SHA512
3857b4868942059047e7b0f1099ede8577f9eb9476f008299b6acebd0afd5b6d8b7b775bdb8dae71515e0801f84e73704c3f4084fcc8a4a337c842c4701de95a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
9KB

MD5
5d4ecfd1f80fc652e31cad44a7d69cf5

SHA1
2e6527127a8d77bfd593975d1a5446ab141f4220

SHA256
1ca4bec222e0703059378c7ad66a6562dca9a02bccd78623a43d428221bc2a4e

SHA512
9c14d2d519b85b52b41fe7bc0016fb03b13db4ca9165d2d1a471502c7bccc70ba974f83b94727ba647505aa6253d7bad76158c61ada93ce6c61feda1aa8e48fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
22KB

MD5
31d96a03732f579824782e3ef0a524a4

SHA1
f41aa59a9c993f03f8e9e7ba7b378fb5b89d6d50

SHA256
1c099356aa9664c22eba740bac1f121a278d856a561f988a1a2ca1611e6322f4

SHA512
eebec972169c689fa5c3fd88dc5c5311a3ff7f124c19ef2520d0fe6e70f768d0ebf6cc0ae4bfc2714c2f3c54a781cec547ff8aaef0041cedf1784f884608b738

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
59KB

MD5
7bb559321a10b80952bf9f25839bbed4

SHA1
89af5900e5fd73df5db028033285811b8ceefcc7

SHA256
9266122b6d6c8576ebe3f3b2e2136332d67bd9db72984d1776270ab71664d1ff

SHA512
379a1d1b981c0b6050520924219d1a43656d309e910e8dae1b275c66a6f10f98ee00124d64545ba26a8cf018bec33f01f57b8a9e192a4a27e5ee83deecd2e009

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
28KB

MD5
2175e570c321bda2f8f7811016131516

SHA1
54d25e0e1b571f00bbbe8c116337987959a69dc9

SHA256
5659cee0d8881521444e87d8fb527fe69c21481c05078b63042c7c1d9b6b94ec

SHA512
9e7e5526d7810794d61ecaa805e845bb03e915860d85fa73204ec6df399ce06d752f328d3aa06bdc1b3f0dbac2b9641e4aa98d096cdc4656eb66b2f5679bd6fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
33KB

MD5
1cb80908627f1fcc6d05edb26f97a9d3

SHA1
e58f251d5e0ea79c2961acf048b0b70debb01eae

SHA256
a5ab6e8a679ed744631f4ef1312a45015a6b8afcf1d82b2f2f7f0dad2c97759b

SHA512
30e67d1f64e0eeb872a5648f53b9c94646130a69e209fadf16c6f907de7d798806cefcba428ddcb66bf4536a5f770ee89798fa0bb5afadad9dcb4602af3cf586

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
29KB

MD5
82c384490ed5b05c47165e58b4c23bd7

SHA1
3a55bcd0f753a0ef877d6a48253fa87bc1920108

SHA256
0cf38f4a6f7d6ce921a2492007a21fa525093d76c6f8e1149568c51a99a599d2

SHA512
cfb269f234c8f722a35840ab4a1de156918c549c0131b343a2bf32234e7a060ee3ddb8d1777f573822855155bd2c1dbd5a0ca9df67996f1a1670a345ee94ba76

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
16KB

MD5
62875fd7a6f0435e360c61d6603e4f8c

SHA1
bc0352bd040b313d6be47197d2926a62edf30191

SHA256
0c37ef5a98e23b6a3c308b7d1b435760076c83ad02e90e175dd62d5d1a769016

SHA512
fc983386885f2743b06555154e69d019af5cef4790da06ae80649f336aa42a7321c4adbe368a9c9d149cd373a758cf12ca35e1cb4d897d6718e43170d1deb8d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
21KB

MD5
1cb4a4102c7c552dda1583cd7251cc0e

SHA1
5affb82647489f561524fbdbacfd80fa8786740d

SHA256
8cc380172a9e2c28a36df11598e9fee6e4c59507c34c1ebda8325f0a836265fa

SHA512
2e926f2d0b86670b3d468d6627438dc4072df67a2727fb507d1bf6c229893f8fe58684de69f19dd5ae20211a172a8aeb1246bfa94a922aa3565fbc66ec5574ed

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
26KB

MD5
235ae1a07fb5ee1871f373505d552895

SHA1
ac9a0d7ac31f27a1fafc087919be7ead24a14692

SHA256
8bbcc2a95a155ebc918616849e52f0c16196b52401919601b3bf47151c15785e

SHA512
20bb69c4465f221d4a309fcd2320264126a7eed771856b279c8f21518e435e8db2b837b24545b7c26d7fd41c8dfa6f9169dc859de9404b5a8f1c4da69caf47b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
47KB

MD5
4f1584d58c05c3ccf43571225c6d682f

SHA1
689fbdcc3b833d0a58c675f30056f50544bd4fee

SHA256
6e3f39ada54a7909cf6715556aa7056976248912891e8e2f7e07a951881fdea1

SHA512
207493c1eeabbea551232d582dc0fa41904411227cf125588c962f805668efeeb0ac2092f7c6c5747dd93a00ab9859dd0d33e523fa00bfe1202c73339532aed8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
37KB

MD5
8bef0347a15067cc8a7856e4633040c4

SHA1
a7f5086d5603314685dca60a3226b3455337dce4

SHA256
fdc9bfcc4bdfa0222794ac6af71fd0e933a941e40eaff9bb069f677987232ac3

SHA512
56698d2667f8684657df745f00a98e969f6d2a4e84be4e22df60bd0dfe881158512f9c70138eb407ad185618eddf698a32197fc093d7722c7cb345438b2d7371

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
39KB

MD5
39a93b17e19270e0767b5be98297c34a

SHA1
900cfcce1c052127077a5655360c2858c592e5fe

SHA256
4025e5b7e50b409f5077a82f271317f4864944d02df9cd194d8923a6dd5dadd6

SHA512
776ae730e5a75483e0f1fefdf525ce5dabd9ca93837dbc9f3112e0292988850408aec8c25afce1485135f70b061a4ea4959b27e24b1e95d62f5a3f750fb47f98

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
67KB

MD5
b8e556d7eff3a20afd790ccd6b7a096e

SHA1
115fbf78a64a6eea75d04e6e6c50509dda9f15f1

SHA256
35822a218c868da05c7c7a61f17d98e33606c849b94e55adc0cf525f94b451f8

SHA512
efd405b9a8e26dfdb99cf8ae8e753dc9524c7691852a1ded76cef5e64845e20ed60b0ef36283eda3a73c465b141e89bd9b9cb5fc7626a5ad2dc99572c9452e12

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
4aced3dfcf75b09db21df16d05472adb

SHA1
28a761f03a2e64c449bcfa3d0e82d860fea48684

SHA256
15d26a00278f2c8d82634494adf796f8251f20ffdac4ea369562129b8a0cde1c

SHA512
7d6d1a31afd4b0b235270dff08a4b5d9f3b1b9e2aee33bb1eea3c65bd0470d75fd50d64c2dd3ee75b70ef571b8cb65d43a3b08140e7c224c09e9f6b938a06ccf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
92KB

MD5
c052001434e59424a42c16e9464cea55

SHA1
a642b74cae7d67909692e9ca2266156ea0a3cd95

SHA256
b875154c02d450695f62a668c9626039a2556c1de4f699986e632d125f51b064

SHA512
4b293c9bbc37e92f99eeaff8b295f2e8025fabb15881996519bbadcee0697c8d9a685a6d2c59491aba1e76cc77217dae08e8256ae11d5e50683f1a2dd971750f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
34KB

MD5
8dc781f1e91b853aefd7ec0260ab6c8e

SHA1
f06c6eaa9bbafc4c43090d3f985857b9eb500c75

SHA256
c7f0e24e999bb324c6c97d2f9fdfdfb4f74bfe457dbfa850e1cfda70643820ba

SHA512
13b74c91cf86412df9fc1bf01e8423029d001f10c70cfef5ad97ecbcdd5e0b0b1a80ec9feae9fc6f049b2bf782adf8d074994b27be2ed71af7330753fa02cbba

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
4KB

MD5
56f26d8e75817a1adf30556efb83c0a8

SHA1
d3d335ca5a37944456a9abd9c8d4a366c0eacca5

SHA256
6a153bc0db2e77db47af684abf6e2cd1c9ad444d0ed6df3a5e01532c507ce8fb

SHA512
e0eaab8c1ee2a1c338d8e5ce9bccb12c738c164298bae89fbfde8f9be030d1325d14d8dbd3aacd0c5f16604171c4f52af6d6778ff9dd245f32c40a5fe24fb2ff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
520b53d1edfcf27bd9a547c5c6f4d18d

SHA1
8d98cea47e08b03510e3a5bc27126f398f17bfaa

SHA256
392bb50e93206b38ea5324a8942730f3f3c5dc6be03e86a4673366faf9eecb82

SHA512
13fc378e263018e0ea7bbd138ad6fbe59a353d05942bbbb90640e52862fe6c4c30809679703f743084eb819ea7cc74d11feed042dcbc282b78a0156ee40e6e00

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
11KB

MD5
cd6cf60040e72917a7e5285c555cf200

SHA1
382e9b22c0349ccfce03eea092dc1e0d6fc865e0

SHA256
0a5ed9fd68042971aba3514d5f071d9d9fd0e98dce8606f45589f28cfe43a955

SHA512
467f394e0e9fdf66f016e09cfc7697ed5f1e4c4e3949ff5245577b784ad3e6b5c25d450e9f8b4eef66cc78f4f11dd2b7b706a2669eb207235a83164b966d10b5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
65KB

MD5
48b1a50d52c92157ddf8c3fd8a67af09

SHA1
b9342a63dc54148b83261ea0611908d3d6a1eefb

SHA256
9aadca8b6778f36ec336339c021cb2305b42dec40c7291f655489d9c3448e02c

SHA512
c0be2b61fa9778800573c516fb9cf3d0e1cb65c9c4c70f2e201cd28c96f84e896a70981fda09ffa910aa4aeca3ef6d66577ea468000421ed6fbd056293c43672

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
41KB

MD5
67a22b949ed6446a47fa68b8b9406090

SHA1
84edc831dad95ed29fdfc355c94b3576efdecbf3

SHA256
d3ae488cf4195da348a2712a26765b1737ebf1eb71c5bc2e72fd0e4b8daf7cd5

SHA512
9f3c41cf04e967113c1dd29d533a87bab8315e4de26b4fbc0502a56613b481f6daa447c0eacbcce1b1e17543dcdd65a2bcd790492b3d0744c684e0c2634d4540

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
3d6dd03f0bdc975cb075c12ebb226710

SHA1
5c52c882485537c43c3ef658a9e486bfa6b7c851

SHA256
7e8db07be5ef72048ee0e7550069b26ee5a2e5747d02082630de8eb819515871

SHA512
d4d16056eb69f0dfb148947616edd09c3c1825e3d1e66cd07b2c9538d9de56f467b6ad0c3c8e00ada3cb16320a4f25bf1124e3418b20a0bc28fe93bd4db36fe7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\9a5b988756fe8faa.bin

Filesize
12KB

MD5
7d7e4953129c518eb3ccf1b4d8a53127

SHA1
0156a6f77fe141246d710107db59c4ef9aafd7ad

SHA256
fea730b27af517f6bbedb7724fe46628893caf0011a26760540f0c55d6ca6ce9

SHA512
d4aa03289626e9629c112c9ad13f460006180b318809a3848573a81793c67cc554f782e85324c79fa94d8e4f64bdf907956a6a6544cf40d03dbd8e5b99036c6f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
46KB

MD5
9c34abbee15772a3bb98c58c0835d5a6

SHA1
f8f8f398e393f16fe41b3434aba8c4e5333b4be9

SHA256
8b78a61c6f22c21b6dd4bbf3fae0f54a1d02dbc86ff74789188d806e6dfd814e

SHA512
312e1f5047bbec6a50c03097037cd0cc09b91cd9985b70ddc5b4494950469257f26aa561b0f80a32582f60d4c724f20c3104022d753e56674b1966d4ab802c58

Download Submit
C:\Windows\System32\Locator.exe

Filesize
72KB

MD5
38d5e54338c51e318df3b722fe91647c

SHA1
f4d70a40cfaf8db9a0ffd412d5e63787cc35fea1

SHA256
69e21b7a4db4619b431feaf732b8a71628ccac2c16c9a8610208c1cd1363ddea

SHA512
f8f56052ed5a1813d4c208caedf33091fdb1a470c71a271abebaefcb7864c16e461b80aee69491dfa705768f6c15b9c51b7463454fa0ee9bb14c40f76fdd78ee

Download Submit
C:\Windows\System32\alg.exe

Filesize
267KB

MD5
e0478ec88f6aa55a9ba4fd598912aa00

SHA1
cd9d80beeda3f48d99ec41ec047d105ef1009241

SHA256
a5d7466694c828cf05f95a5597b624f63f99ee1a7273c55de7d88e0f8ba8cae8

SHA512
6a7c6580b53dbef456860d944b708d5c645ae9906a338b142296a4e3d75a9aca27bf3e9bb0e42ed85f6de6527ecdd91a7e4f5e9e7a5351e28624d5d2cce77acb

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
9KB

MD5
8cdd3f9bfe1e7e224f75ea02ffeea9f3

SHA1
0b0e58371f108a0271597127f48f38087796b0a8

SHA256
20157ca7f657502fb82929de9b02000ad398c3e534bbbc4c139a8966d88a7159

SHA512
317b217105a9d36ce26786bcc87356c158eedbb4f2f466b9092a9de50ed65b646cb178585055169827d6bde6ef74a1b22fd9e6f85bd38f891d084eb4fcbb09e8

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
79KB

MD5
e60248636884dce1213cf12c9770a73f

SHA1
b74dfecb2f700a19a5deb9d9ff1754f305419e1a

SHA256
d7cb1ef5270759aebb9a0ef2e3fb3f4647fe4b19f016a062433798c2dba9041b

SHA512
57efd765b4899466d9aeaed47bcc038c8aec2c5286442c3ec790fc7075790d3b409af7ec7a33c43eac797763d08ad0465e7f329b2210389ae24584c870e2ba3f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
84KB

MD5
d2a997c898dc97098f7670a4e19a2ad7

SHA1
48e3519bdf0282cff797e3d5a98d50f3afbc1653

SHA256
1685db2a5da8033ac50877c75003ffabd6bf401a474340846b066dcfd8630b03

SHA512
b62b9803a6b445e45d7ebebeef3387fae60f90ad86ea3ae33da6d9fa15383e1197448c4555e94c8727fbabb37177f43e1dae0eec551297b824903cdaea237c9f

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
106KB

MD5
0d42ee9e0d6ec5daeeab698551c76c36

SHA1
b1041336f293c8a7accbd314424e63c65b5f37a7

SHA256
365bf7e00a3b2d28899f2956c2b64331c53cc44c764f1d2c93ee4d2f1e14c12b

SHA512
e55820f572aad4986d9f66e9fe66cc940d903883681ec3ecd8eab9fb7c794a316df9462af663403baca6dd562000201400b7455b0e806f965356a5040ab27a8a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
61KB

MD5
4fa55ed79b3b5a3f5951c57d56cbb6a3

SHA1
a8d4384fffe1d0b04b7dacfb2aea375d99bb3c9a

SHA256
e994382ba83e512e8bdc1bcc17598835cb0299967e26438de093685851a47c52

SHA512
f97df500504fa89fe1ca543ec5b8fac546d55b6c7f9db6e903b5400473ff174ea96d2c277f2b0b3dec6aad5ccd2ac4d523f155942858999d7c83a9ecd2b3aaa9

Download Submit
C:\Windows\System32\vds.exe

Filesize
25KB

MD5
510a01c6af1091dbcd8d38d0325b511f

SHA1
506cf8b0f95f5da1128da3f748eb103118734389

SHA256
40e344247da114a943d543c0e7c1c398ba16d537593d7f4cc501c420152981f4

SHA512
606aafafb2a64e251540f2d95e2f4f3db0ee01dfdc54e07a4c0eb01eeb1139e2fe0a83fb7e68a73f08681217c9e9b3dbcbd6481214a8878af963b6886714484d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0bcf1b3e3a562fb0f829229904d2b018\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
9a30b1f409046ffee34a7f31a84395ae

SHA1
75ec7a753d6859af1fb2a1a154c073d0a9e2d2a1

SHA256
d55aa6f2117c39fffd641172a82db8add379ec581f3cd106b7f12c2969fda328

SHA512
a82c30867eb74ea6c9bcfa5b6b6bd7dfc829f0b48328eb7c4593d483f69e2991b0e63decc32c963c04c759ecfffad9a69449a80b7155f64780e5b15775ea8c74

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
158KB

MD5
a763a9348ab4ee3bd593bb17d854e51b

SHA1
4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9

SHA256
b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b

SHA512
e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
157KB

MD5
7bdf8e0c9aa04b71a52dd964005f4363

SHA1
a87e809146d3c70093a189c37f0a96b8bd0ce525

SHA256
0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b

SHA512
4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
607KB

MD5
e9ca062e4958cc25400c804029a5bf62

SHA1
1ed4374d0d0f568936fdebe17d9110481d6b3344

SHA256
a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0

SHA512
43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\935a710d2d09f380aea954059c7bcaa6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
8b1fd721452f1a4177bd79b5c9d3045e

SHA1
ff84aae190f5365be3a8d6ccd315a14fc25ef3d4

SHA256
34b63762f31c92f8c2308e51c648c0179776ee87ec4abe623ea6b3e7417065d9

SHA512
a06bbc75d63c74da08b5698682a66b4bf5772b3b287d07df194efb4efb82e6ee0fec79b009542027aa0fb2a92fe564851fe4c4afddc5096d703ff7e74402d68b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a5e4b58b4442bf00580057c26f71d8ac\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
a6e5067b515c6c5fb8ca1f1be144087c

SHA1
f38a160b72b22ede1f597861126686aedbf92a53

SHA256
848723df21b8fab01fdc3bf233f0a11b751351ddc4d870a63a16b3f1aff30a46

SHA512
dea1cf0bd0c9b35560e3409b09d13573d2041bc4617128cd4aade514fa7e1056ed9e1412ad51ab81340b0d10cfa48efeda20f3dd5ebb0eada7e680374d03eaee

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
141KB

MD5
58cacef7cbc000bb5ddeedc08a598f36

SHA1
f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7

SHA256
124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270

SHA512
9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ff91583a2e6bc7dd959deb7e77ea57db\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
a7dd8def557ccd9e8202199499386651

SHA1
10bc3b044c6c2b258356169eab5d6dbc54329ed0

SHA256
b6b22830a89592a0a9ebd67cfee66f668772c55dbbac0be1c8e9f12a8f7aa526

SHA512
8b03745d7fb2fb08eb2c10a50f1049a93eb96b68649e6136e553c0714ea345a3cf9c04953661143a610e7492b539826b759727c5d895ea47ec4b00be5770943f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
286KB

MD5
662ca7855b48bc2677094919e7151e44

SHA1
db2df8ec63042b586463e48f90fe6686fe10f2e6

SHA256
33535f57702039c873c66d6bb7449bc84defa77421026e837abdc874fe3a1418

SHA512
7ff86d2fd2665ba7f014aeca8810ab27a8755cd3b69bb64c5a574fdfea1ee66934f47471ac14f4611d80c5ed8bf8c4e5735de6731acd2cf232ac9d100105564a

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
407faa1e1ceae57f74e9884813d8cb49

SHA1
f9dae2476986d02d7fd5a7f3000e3c60af97188e

SHA256
60c8543cf9ae82daf3c8a8fd3d63b0755a3c11ea6a06522f4fbf5dd2e935568a

SHA512
acdde057d13403749f33fa1e3ebab800e5a48869ea8db0704f3730576d213904e06bf43c59b1e6d2ee3de452af6780b52cadb2ce9223fd833261919f415f0175

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
28KB

MD5
f4ba86b363bcbf39d6eed4e1fc3a28b5

SHA1
145e85e398c3fb095b1075f33d316df7d02c7b48

SHA256
48cdfe10926be64f4961844bf0b15d1b4cbc61268b8c64977d5f7936ac54713d

SHA512
248fa64d99d029bd63774b47d0b67c32642b200fcf5c870aad3dd7c0e59a4bd5a3033c1402ee0c4e9a956f683dde65340f9fb07222f805cd3d2436b854371885

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
213KB

MD5
fa8a45b51e5d8d58651bef8d7a29af74

SHA1
4768b262e036c370e26de68e95c139bee1a9c4cb

SHA256
11ecb89cc2623c12038f84cac3b9108934048d0f476298ee2c125f8db7ab96ae

SHA512
59225443f0a113430cad4af1cebcee13412cdfb0552edcc97f1b177dbcd6afa2717f89289f5446eb73c9d4f0549288c22ce0eceef9b6b9b394efac33783fda8a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
237KB

MD5
ff375bed77fe1ced30f2a92e200a3f6e

SHA1
2989ddc4bc2ae6ce03c7f74e8c8b9402288a1c10

SHA256
c3ce38a63fa174fe3884f60cbce2fecb417cddaefb5169680f36cccdcf8a5aa8

SHA512
3657457e6c25031167c283026b3bcb862960ce4af2b99857eaca0fe54506f1573826fd834790f9e32eebd5da436641f994b5cab70351752f28d8b647c1790287

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
92KB

MD5
97ff29f29a18416684204b5f231e2590

SHA1
72b3f292649b75152c4b64752e95a5f287542155

SHA256
1d3cbe29e60c52d543cc6c8dc822cf4243dd2a3b33d3386f469b724581599e7e

SHA512
6df9e15ec51078c7067a821869573271d42315819e5bd6671b318d0a524eca68e4670f55321bfb56bce1c854ec910bb88a9f174b7180048aef6252859e28c363

Download Submit
\Windows\System32\Locator.exe

Filesize
126KB

MD5
3883b05f18f89a30aca761a233df70df

SHA1
6cb50942fb60f9c2f529ba1fd501a049888f532e

SHA256
3b8d96707d8b07199e965ac77e49001f45b3c10a95f0bd335112f3e3fbcb6a18

SHA512
2da2652f5fce21b10366484f70c52f8bb1a851c834930bea1f12c5697eb6e144671119a89a3a3203974b4227ec63d7da54a36ab6e4d3a0adca7d5091f254ef88

Download Submit
\Windows\System32\alg.exe

Filesize
327KB

MD5
5441e7da29872df844cbaabfc5e43aad

SHA1
5f941d2f72f7db329605c421203aa033ddf1c0f5

SHA256
b60383468152afe8b5f72ddf9457cb8e97f957069facc772b065861fa1f3f9a5

SHA512
235d882be0f21092e1125323b9d80f1679c3598b5e266d62a4d822920d832b5723131bc67e8b9cf0f65ae9d305cd8675bc68605c91838040110d68b743d24c33

Download Submit
\Windows\System32\dllhost.exe

Filesize
53KB

MD5
d039e70df5e06ec05c4d1214d7f432a0

SHA1
229e29ea931d39c3d43baf2ef6bcef229b174130

SHA256
7e711de6cfa0d68358f870a8159bc798948d065262bbf425ea354b6ec4412ffe

SHA512
2bd53e7f796ad3b8571b7fe1b30b93ee310f04765730ddb737882c3409673ebb2c3035d0fadb11eab669866c7a77ed9de8c0164cb3e6a306a1c7928f6d33aa43

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
137KB

MD5
5095e89e52cbbd45e7bfad49a6d95530

SHA1
cca7029500a8cba71ba309c606e6199969a27d31

SHA256
179a15abc777cd269afebd7a00f2ce5d2112d68f3a100f5645bc057637c7e68f

SHA512
fbd814d413b093ecb47b4f81ad8910d4bc82ca6fbe6c50ab52a3b5ee8ad875bdcabc4e444bd3845e7d950e39df93aaa7ac6913bf28303a798a1fcb4809cf7a02

Download Submit
\Windows\System32\msdtc.exe

Filesize
284KB

MD5
f0db2089b47b241e6e89ddf48914002f

SHA1
328f56d494734c4b2e66557e5b3dab02203d0ce9

SHA256
aba599957bf99690391d728108cb75f3f2f8952bee452175f9e85e8c50d54e4e

SHA512
5d489e5faf8b1495da9d1a2409c51810e8b01b54b3f2d0c516338a7cadf15fb01ac123b4e81ebbe2f796f26191278359d408458133073a63f40ac41bf2aea518

Download Submit
\Windows\System32\msiexec.exe

Filesize
243KB

MD5
6d582353495f7bff88d337a17f19d037

SHA1
145a5464e779ea800df4ea2d33f1a73f731a4095

SHA256
e9d71791de1060cc80f46d36c549082b9506195277131198c5fe29a217f0173a

SHA512
67eb57ab476178ebf031c96b2bb78420f96c9dcfef4be784d98f5f728c29f52fa2a862134557a90b0208858f946fabd432ac6111495e1466b939b63d63e58be4

Download Submit
\Windows\System32\msiexec.exe

Filesize
63KB

MD5
231cab7e8e19b43635886dd290889e6a

SHA1
ae23e9811400c8764403d001ef72de79f3f1aec3

SHA256
19c6c1dcd99e53872eb12880adb3b72e85ce5182625995234fbcff30bef84100

SHA512
fd2ebb23424628ff2909dfa0532f06ce05c12d4ff0d3d0f6c34f43a9f5a65a36bd8863b158570a8a3a584ca6cc6be10f75240c2eb57f000e80a510be25493572

Download Submit
\Windows\System32\snmptrap.exe

Filesize
45KB

MD5
e931518a1ef7cae6c8c3292665f7db3f

SHA1
e552110aae42ee32abe655de246bf042e9fd2db0

SHA256
59f11592b55b95aa2992224d0f2017492627745d8a0d9a1b17faba080f5b6b76

SHA512
fe5bd2fea807b3476d28489840b60747ecc147b0b0c17452dbd9d671813eff9822dc2ed2d6a7173c2a2317abcbdcc3f05fd828dbfd146cde0432f03f74a4a4c7

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
163KB

MD5
d46574bce2f0c98a1bc397665b144658

SHA1
5b72625a5b7ce8921074cdbf397b7c2531049fc6

SHA256
2d61e1ab2a42e2c879ced3a7530845b60d4e91de0d03b32f98d36380a416654b

SHA512
40826ee65415ecd57ed83bb92af2caf31b5ac9d6642917007b3591b2296a4d549b220e97ecd30a36ad83d9b363f9f1ed47c18cbb3198b54208cbbf5e30377a7c

Download Submit
memory/336-386-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/336-377-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/616-199-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1088-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1088-181-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1088-188-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1088-237-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1196-222-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1196-233-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1196-232-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1196-214-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1344-195-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/1344-194-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1344-242-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1344-248-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1344-196-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1344-245-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/1344-291-0x0000000000CC0000-0x0000000000D40000-memory.dmp

Filesize
512KB

Download
memory/1408-278-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1408-285-0x00000000001B0000-0x0000000000217000-memory.dmp

Filesize
412KB

Download
memory/1408-427-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1440-167-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1440-152-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1440-208-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1440-178-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1440-169-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1440-159-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1440-155-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1504-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1504-160-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1588-399-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1588-410-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1588-416-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1608-135-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1608-140-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1608-142-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1608-198-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2028-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2028-144-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2028-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-373-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2028-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2196-106-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2260-174-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2260-176-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2260-221-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2260-165-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/2308-239-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2308-378-0x0000000000590000-0x0000000000642000-memory.dmp

Filesize
712KB

Download
memory/2308-241-0x0000000000590000-0x0000000000642000-memory.dmp

Filesize
712KB

Download
memory/2308-295-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2312-95-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2312-117-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2312-89-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2312-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2480-408-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2480-274-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2480-264-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2480-273-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2480-287-0x0000000073FE8000-0x0000000073FFD000-memory.dmp

Filesize
84KB

Download
memory/2504-168-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2504-54-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2656-228-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2656-283-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2716-385-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2716-262-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2716-250-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2776-126-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2776-190-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2776-120-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2776-119-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-450-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2828-433-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-260-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2880-201-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2880-206-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2880-207-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2944-292-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2988-371-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download