8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
Size

1.8MB
MD5

88719b7f18fe75d8d6e2158dd9282d85
SHA1

5fe11316c6f65aaf52f51b668037308b6af8de29
SHA256

8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884
SHA512

6a3f698da1e2547990767695d15efa2f1a735e1d8c4e4e49c7b0d5f7aea841b4525970e980b93293e5b7788ec7be1cae00e4127facb19122b469493c407f1ce8
SSDEEP

49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAcgFIDRRAubt5M:rvbjVkjjCAzJQUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2764	alg.exe
1336	aspnet_state.exe
3036	mscorsvw.exe
1792	mscorsvw.exe
2612	mscorsvw.exe
1620	mscorsvw.exe
1228	ehRecvr.exe
872	ehsched.exe
2336	elevation_service.exe
932	IEEtwCollector.exe
2104	GROOVE.EXE
1704	maintenanceservice.exe
2804	msdtc.exe
1016	msiexec.exe
2620	OSE.EXE
768	OSPPSVC.EXE
288	perfhost.exe
2484	locator.exe
2876	snmptrap.exe
1624	vds.exe
304	vssvc.exe
2708	wbengine.exe
2848	WmiApSrv.exe
2684	dllhost.exe
2652	mscorsvw.exe
1568	mscorsvw.exe
1760	mscorsvw.exe
2420	mscorsvw.exe
1288	mscorsvw.exe
1116	mscorsvw.exe
2044	mscorsvw.exe
2776	mscorsvw.exe
2172	mscorsvw.exe
1268	mscorsvw.exe
2964	mscorsvw.exe
2528	mscorsvw.exe
608	mscorsvw.exe
2536	mscorsvw.exe
876	mscorsvw.exe
2436	mscorsvw.exe
1496	mscorsvw.exe
1004	mscorsvw.exe
2840	mscorsvw.exe
1516	mscorsvw.exe
2564	mscorsvw.exe
2160	mscorsvw.exe
2012	mscorsvw.exe
1724	mscorsvw.exe
1496	mscorsvw.exe
2556	mscorsvw.exe
2140	mscorsvw.exe
2560	mscorsvw.exe
1004	mscorsvw.exe
2340	mscorsvw.exe
2208	mscorsvw.exe
2880	mscorsvw.exe
1700	mscorsvw.exe
2344	mscorsvw.exe
2012	mscorsvw.exe
3036	mscorsvw.exe
2816	mscorsvw.exe
2164	mscorsvw.exe
2340	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1016	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2208	mscorsvw.exe
2208	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
2012	mscorsvw.exe
2012	mscorsvw.exe
2816	mscorsvw.exe
2816	mscorsvw.exe
2340	mscorsvw.exe
2340	mscorsvw.exe
564	mscorsvw.exe
564	mscorsvw.exe
1096	mscorsvw.exe
1096	mscorsvw.exe
2968	mscorsvw.exe
2968	mscorsvw.exe
2136	mscorsvw.exe
2136	mscorsvw.exe
2004	mscorsvw.exe
2004	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe
2340	mscorsvw.exe
2340	mscorsvw.exe
2000	mscorsvw.exe
2000	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2524	mscorsvw.exe
2524	mscorsvw.exe
1264	mscorsvw.exe
1264	mscorsvw.exe
328	mscorsvw.exe
328	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\snmptrap.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ceba4e568a0c1054.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\locator.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM13FE.tmp\psmachine_64.dll	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM13FE.tmp\goopdateres_sk.dll	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File created	C:\Program Files (x86)\Google\Temp\GUM13FE.tmp\goopdateres_it.dll	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM13FE.tmp\goopdateres_fa.dll	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM13FE.tmp\goopdateres_mr.dll	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM13FE.tmp\goopdateres_fr.dll	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{816A3475-9C83-4071-ADF3-DF13B538F008}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{81A89950-DBBA-4C24-9ED4-C23019CB2132}.crmlog	dllhost.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1620.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C24.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP954.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18CE.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE0E.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP129.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D8F.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2356	8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: 33	1276	EhTray.exe
Token: SeIncBasePriorityPrivilege	1276	EhTray.exe
Token: SeDebugPrivilege	1504	ehRec.exe
Token: 33	1276	EhTray.exe
Token: SeIncBasePriorityPrivilege	1276	EhTray.exe
Token: SeRestorePrivilege	1016	msiexec.exe
Token: SeTakeOwnershipPrivilege	1016	msiexec.exe
Token: SeSecurityPrivilege	1016	msiexec.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeBackupPrivilege	304	vssvc.exe
Token: SeRestorePrivilege	304	vssvc.exe
Token: SeAuditPrivilege	304	vssvc.exe
Token: SeBackupPrivilege	2708	wbengine.exe
Token: SeRestorePrivilege	2708	wbengine.exe
Token: SeSecurityPrivilege	2708	wbengine.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeDebugPrivilege	2764	alg.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeDebugPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeDebugPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	1620	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	EhTray.exe
1276	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1276	EhTray.exe
1276	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2652	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2652	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2652	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 2652	2612	mscorsvw.exe	45
PID 2612 wrote to memory of 1568	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1568	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1568	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1568	2612	mscorsvw.exe	49
PID 2612 wrote to memory of 1760	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1760	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1760	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1760	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2420	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2420	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2420	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 2420	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 1288	2612	mscorsvw.exe	59
PID 2612 wrote to memory of 1288	2612	mscorsvw.exe	59
PID 2612 wrote to memory of 1288	2612	mscorsvw.exe	59
PID 2612 wrote to memory of 1288	2612	mscorsvw.exe	59
PID 2612 wrote to memory of 1116	2612	mscorsvw.exe	60
PID 2612 wrote to memory of 1116	2612	mscorsvw.exe	60
PID 2612 wrote to memory of 1116	2612	mscorsvw.exe	60
PID 2612 wrote to memory of 1116	2612	mscorsvw.exe	60
PID 2612 wrote to memory of 2044	2612	mscorsvw.exe	61
PID 2612 wrote to memory of 2044	2612	mscorsvw.exe	61
PID 2612 wrote to memory of 2044	2612	mscorsvw.exe	61
PID 2612 wrote to memory of 2044	2612	mscorsvw.exe	61
PID 2612 wrote to memory of 2776	2612	mscorsvw.exe	62
PID 2612 wrote to memory of 2776	2612	mscorsvw.exe	62
PID 2612 wrote to memory of 2776	2612	mscorsvw.exe	62
PID 2612 wrote to memory of 2776	2612	mscorsvw.exe	62
PID 2612 wrote to memory of 2172	2612	mscorsvw.exe	63
PID 2612 wrote to memory of 2172	2612	mscorsvw.exe	63
PID 2612 wrote to memory of 2172	2612	mscorsvw.exe	63
PID 2612 wrote to memory of 2172	2612	mscorsvw.exe	63
PID 2612 wrote to memory of 1268	2612	mscorsvw.exe	64
PID 2612 wrote to memory of 1268	2612	mscorsvw.exe	64
PID 2612 wrote to memory of 1268	2612	mscorsvw.exe	64
PID 2612 wrote to memory of 1268	2612	mscorsvw.exe	64
PID 2612 wrote to memory of 2964	2612	mscorsvw.exe	65
PID 2612 wrote to memory of 2964	2612	mscorsvw.exe	65
PID 2612 wrote to memory of 2964	2612	mscorsvw.exe	65
PID 2612 wrote to memory of 2964	2612	mscorsvw.exe	65
PID 2612 wrote to memory of 2528	2612	mscorsvw.exe	66
PID 2612 wrote to memory of 2528	2612	mscorsvw.exe	66
PID 2612 wrote to memory of 2528	2612	mscorsvw.exe	66
PID 2612 wrote to memory of 2528	2612	mscorsvw.exe	66
PID 2612 wrote to memory of 608	2612	mscorsvw.exe	67
PID 2612 wrote to memory of 608	2612	mscorsvw.exe	67
PID 2612 wrote to memory of 608	2612	mscorsvw.exe	67
PID 2612 wrote to memory of 608	2612	mscorsvw.exe	67
PID 2612 wrote to memory of 2536	2612	mscorsvw.exe	68
PID 2612 wrote to memory of 2536	2612	mscorsvw.exe	68
PID 2612 wrote to memory of 2536	2612	mscorsvw.exe	68
PID 2612 wrote to memory of 2536	2612	mscorsvw.exe	68
PID 2612 wrote to memory of 876	2612	mscorsvw.exe	69
PID 2612 wrote to memory of 876	2612	mscorsvw.exe	69
PID 2612 wrote to memory of 876	2612	mscorsvw.exe	69
PID 2612 wrote to memory of 876	2612	mscorsvw.exe	69
PID 2612 wrote to memory of 2436	2612	mscorsvw.exe	70
PID 2612 wrote to memory of 2436	2612	mscorsvw.exe	70
PID 2612 wrote to memory of 2436	2612	mscorsvw.exe	70
PID 2612 wrote to memory of 2436	2612	mscorsvw.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe
"C:\Users\Admin\AppData\Local\Temp\8c21d0219e7915bb50b7d8588090fdb5f48d487c3cd87618f6099ea600768884.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1d4 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 238 -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 1d4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 1d4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 270 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 288 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 270 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 248 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 294 -NGENProcess 1c4 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1f0 -NGENProcess 2b4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 248 -NGENProcess 2b8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 2a4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 23c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 1c4 -NGENProcess 2c8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2cc -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 2b8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2c8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e0 -NGENProcess 1c4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 1c4 -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2ec -NGENProcess 2cc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2fc -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2f8 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 300 -NGENProcess 1c4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 304 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 1c4 -NGENProcess 30c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 300 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 314 -NGENProcess 328 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 314 -NGENProcess 2f0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent c8 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c8 -InterruptEvent 1c4 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2f0 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess c8 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 1c4 -NGENProcess 340 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 32c -NGENProcess c8 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 348 -NGENProcess 2f0 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 32c -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 350 -NGENProcess c8 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent c8 -NGENProcess 33c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 354 -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 360 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 330 -NGENProcess 310 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 32c -NGENProcess 368 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 32c -NGENProcess 358 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c8 -InterruptEvent 310 -NGENProcess 36c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 33c -NGENProcess 370 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 354 -NGENProcess c8 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 330 -NGENProcess 370 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 378 -NGENProcess 310 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 380 -NGENProcess c8 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 340 -NGENProcess 358 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 380 -NGENProcess 38c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 390 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 388 -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 340 -NGENProcess 358 -Pipe c8 -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 330 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 38c -NGENProcess 358 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 3a4 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 378 -NGENProcess 358 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3a8 -NGENProcess 38c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 378 -NGENProcess 3b4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 340 -NGENProcess 3a4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 3bc -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b0 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3a4 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 38c -NGENProcess 3b0 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 340 -NGENProcess 3cc -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 3b4 -NGENProcess 3b0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c8 -NGENProcess 3d4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 398 -NGENProcess 3b0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2332

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1792

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:932

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:288

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:768

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
254KB

MD5
762d9966a1500db38ada2c6ba838a60a

SHA1
e65a0378465b51ab1d2f9aa2d5e97abe981f4b5b

SHA256
f8f40b1d184202272e162415ddf0e77cfab892426cb044c0636dc8822935e874

SHA512
ecc1b31c5003246c71fef2f2b3ab5e1b4c7eb06e49d9d163d0b9893127ac5dc1217f09c9f4780bae0cf01dde25281778e7d04dcdcd7be5159b20e5755d3c5772

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
170KB

MD5
7ceaaf6ed187e1995011022f1eae145d

SHA1
bfe595df4ca7e2584a0d8cd5563557aeefedf9bc

SHA256
50131fcb942d180b6719948173dc2d4695bdabc0640046c5f677218835c0d25c

SHA512
e3b97308fb966aff115e6bc79826e6121a29877a6a37a7bb5ff01b4766d7a6a7075f75bb86a3d412f47687c54c4dab0e778678b3d6c31b0414d42ea7bc544e94

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
70KB

MD5
49554a1ff15a64bea9bc42c208d5ee3f

SHA1
c7fadf9b5eea549c91ed22141e619acd0a96b520

SHA256
72118f7f7d838dc5e639135c886ea2e068183b1964b738a1c8e811fd87480220

SHA512
1e15ba07681e184482e513bebcdf3937384e101acfb2880c9d58d0cd2554f38a7bbddf1900c6ac25fff2b5938a95d0f503ba999f44fd2da2b5ac6ec61c1a72f3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
62KB

MD5
7d9942a95ed16cd6ac911f59e565218d

SHA1
41f592560cc1b879103085b0513b960b5ad0cb9d

SHA256
421641b8f0b708a7c9b16b5b296ef4cff4b9e994e5acb2a2ce906532f2177e8f

SHA512
de327125165864bdd7403ab34bec015b258b4ffdb31bbbd08ef7b9ccc6ef49f85388b6ba353014d0c9db96b8f6af141153a880a9f891e3bf72f34fee5d85cf94

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
98KB

MD5
06cdc82ec7758209e5ffa0760242addb

SHA1
dcca0f4eef5c01284ad9677cddba63945b9c1937

SHA256
b99fa8ed133b40379fc0e60d719f8e01c1b1e6a320e30373dcc6c49cf9eb752d

SHA512
29f480ba49ad278f8ff98e6a652ee01daf3fc766c94ddb8cbdc15b11d4be644ed3fc4d000727d9a81925e6a039ebb38d5f26367f480153dfb9ea54528dfc9aa5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
124KB

MD5
babf1fa1a2c9a46a5de30ef9e592f8ec

SHA1
08da4edc65fc595ccf3d92b911928e90468a88ae

SHA256
1ba6c28eebfe27f7e1030863a66cad2f77347dfa68bda94854b3086556f2b000

SHA512
fec32d0ec6f79878ea071c6a1a9e4ca0c7fc17f041a3157b6d09d9c690ce28788bd59058531a5d37f41f52e03c33c373bb025251a8fe51c487f9822f23ea962b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
421KB

MD5
a0fc87011c3a50b1e51be72799a03cc6

SHA1
900e1c6cf20aa3919f0161e1a52171162fcddba8

SHA256
e809d1de4e4d8356b5f3123263bad8cdcbe160ef01ea0082b466af7741984d01

SHA512
5609e41735a30a054896030f17d56b560df67058c66bee7a1d28571d793dea26915015b65f9c6b076ab6f6d3bed2bb396f7ed207c005b548dc840117649e7338

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
251KB

MD5
8375b440fdfea2f261275ec2fbbd339a

SHA1
57ea77046b47edc13a81f065c90f2842161dd103

SHA256
d5fd271d31f8a7c170b6236082004e723d6c4264366899215bc8dd0d40dc4e59

SHA512
f93d519958e6860c4fde253b1e20125bb2cbd9b632557417ca5616cd4520bda8bbae73f206df6d2b01f25c382c47ccc46e655e7f10d77d25cc6448bedbd77710

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
399KB

MD5
639e512b5b6a5a9f24b687e1668c2684

SHA1
2517e028957e93af9fc2417887158b5aa15abed2

SHA256
11688d777db232d2bd93b3880e3a697fe1d169f01328c3c9c277db8fdf459fcb

SHA512
6d1a167c36a5d614f0cbd83accf7177918a2bf2d181fbe01169f5a068c833ab3bc9dd8e9e2371014a735450fa66e0a37a7fd24586f50bc17bc4f96c1c930630d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
400KB

MD5
658b862564a6a1fe09a03436a4f81b9f

SHA1
2501790ce7e94456c841a40e8f8fc4e0741df512

SHA256
fbeefaa048b6398c2b8f4aa78af34ddbc664bc3a404fe8288f14e8b9bb161adb

SHA512
b5fe879940ff573ab9b1523dc31170ba5cf270ff2c5409ea8280f84e5dd6dbc7305084c39059d23e6531c66e744d565a335117a791bdedc7c58f548a14950cc0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
356KB

MD5
bc24e19c0ea8a95cda08787049a3fc05

SHA1
d6fec91e0a85fb1042cfb5f9562c0a35b878771e

SHA256
ebd090a899b12d688375750bc02d85da6884d54f1ea930abcf7f791fddab9716

SHA512
fb354d6c572e83ec7f2dce6e08d7fba7e2576c2e5b1b648854893fe410922261dc8c4dcf5c3fb3b072013eb65e1f1cb24b2bc78eab30588181bf740be4b55225

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
235KB

MD5
bdbf6373bcfefa37f92be1c9a1102c99

SHA1
454d1d60e8bfa88c64eb3eb24fe648ddb54b51b7

SHA256
de756e7bfd724511c45250228718b7a9d13cba4d716c7893c5aafad78178eabc

SHA512
32fb21cbc022b2cf5b8e663bb7c8f3bcf1f2e48374ea86de001077605383faf11379a17212343ae9d740e0673f2e635d99294c0b0e301ffecb4bae32ef373297

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
256KB

MD5
8446b3e24cbfc3b0a1561ca7a6c1ea6e

SHA1
af08bcad7072f6b615e28eb40af24539be815b78

SHA256
1654ab99e29940d2a34e64266210778d364b76a31d4d585534ec186f0721da55

SHA512
4eb4a884845eaa0c75aa9f775a4d119418c1eed4b888a4168a9c7236bd107ab300f243fea87d2886fb4ab356512737cd80aa7c5964227c14596d7993cf191471

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
346KB

MD5
fa39a8bf382301ca6e14f1d26a469f69

SHA1
215269500020f02fa9b4ede29fef7dfa8901d9e5

SHA256
6bf026bb446a395706a759dbfb03ec26e2880b83a9acb31aeadb746d5bf5a92c

SHA512
c89d3bab518717fc8fb0099a8976d1f8a9829ee3966026c0302fc1bfdc83271656a8866631ee16824301c37e6cfd03391db001a4b0f09c8c2fdb89691294fcd3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
374KB

MD5
0c43c7d49969476e9e4043148f32f6b8

SHA1
0f8c39775cab27df4faecaccafa8cc28daa9610b

SHA256
239447ef47cfba970a63008bf26400ad94cd5dc47e7cb1795486ca7fdd7b0c7f

SHA512
756d87202811128ec6606cb5a5d0d3040bb0f9e39bfb4752c8048ae7490a3b2dccba154400e9c595b19026646eb21cf1a851be4587b22c279b80523f9b98af39

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
310KB

MD5
3946f97626facfb8279f4eb4c6fb13dd

SHA1
179650008d24313d497f254aaef57b521a74b22b

SHA256
441ca1b5cbf8816858facfeaf818c6cd0cd5020a30463f418e4c8cb013d0e24b

SHA512
69ce722c6bc63141a449fa3263e2cba35a6a36ac9e09dccde1d2dcd77cfcc075e9e2db20e9dc8bb1c1e7d8e1e4f332d6683765ab69a4a4883644ca266cfcfcd3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
224KB

MD5
994fb7697b53090f89f49f61357532b1

SHA1
2d53f363a006fae92fced6e9651a35caeea6c944

SHA256
a8d9d8151f42ecf1c0a7d8d287d9498410e8bfd7ee3c83939f586415b6575b44

SHA512
96554deb88217c189673074b622f75ba09d06060a3c73e2158b6b388b1d8c99c6b89c1eba7c53a000136786831d63ee590ab9072123a7061564de8ba6ecbce67

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
75KB

MD5
6a2f55b4c962c7a1b2ed689d3bef3bea

SHA1
3d5fde1306e9bf75bdb71a1bdb0d660ca907e737

SHA256
2620321c10f26a810d7f8faa4462cbfe37899ea0508a7be14149345b0354e51d

SHA512
68f64bae09a9af31f794fa0c452961a494c5d68cf20c30ddb616b6d5e14169d3047d805000b3128fa2ceb36c6cfbaca00104ea5b383982be8c4df34f39226047

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
74KB

MD5
d4610bc0c47ca95dd7aad969f174ffb5

SHA1
c9147b9a9e4dbab25ecc43aee13107f21de9e012

SHA256
f698d15d82ef4983303bd2c62f58329104111e05e39267a8be3724a8f869361a

SHA512
14a703643a9e2b02ccb605fef3367bd6d351346887a64cdaf0c3db1aa38414c2f3f9193ee0db10935ad2aaac70736b5c7415191c53d9223cef1810f592343dcb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
53KB

MD5
72b68370e8c047cb79eb4b06a6824d21

SHA1
65c064718121bf44e95ca91e2aa1dc1afa195232

SHA256
d1e9ee5663adc4f46de882e3ba027ef62b6f82e695824c7b302428ff8c7972cb

SHA512
d30a69eb4615ce0c48ef5db2fd3c7c4d758a8e55383341771623d3e0059c9569a41e3da004325ab8ff93a0e9e4c00db85b1131df0622f2c58bf76c9ae9230db5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
130KB

MD5
524c72f75b015313fc6739bcd439e975

SHA1
fbf16ba33488a6a5c650fcd26d463e090b9b8ca6

SHA256
3eaf39b74458447d343a39dc28c912d11159dd2127320667e459acfa7d62a8bd

SHA512
c88f5d247f1065e866dba0478f6d664588192d126d9e1e575300eed3806d177389cc7a73beb3a9d480ac69e9053b9bb7c4d918d71f920d5abb592831087d1e6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b1429adf5817bb192ce5662014b3128f

SHA1
93485b76aae0e07152ae449a48957636d28ff06b

SHA256
55b25f691cff9dead7c271944b735f3cfd8c8bc56ff63a8822f5793a60a53b63

SHA512
33e1b9b0b1d859915000de3b709ca48b80fd80ad8d250cf3005d9f692ef08edd36d360a2a0f82953892ed4c00f781f43cdd5b5f19280b4b844f82b14084a1af8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
538KB

MD5
de3df0df2da9be3eccf21e1ead213da4

SHA1
1827452921f289b5d29ad3d84ea9927d0ab32974

SHA256
641902f2e7d32058ac4c029c1c074ae59b5f4f7e3f2773dbed2e11962deff35a

SHA512
7e1646f5d05d7534b3605ed467372eb9ecddf0237deed286548c9aa208f1b16dcca44e1d9e7d4c53cc35f05fab42503d33fb43da66145cdf94650486f1de2722

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
21c31aae89cd5d3e2835994b75ae12b3

SHA1
b184a88e913588ea563fd1f6e2f42aa59fba1e99

SHA256
50ccf2d73f0a2ebeb6018e6e3491c848942e94c6124037794159a291c76f9d89

SHA512
12fc65c8d7415c3ca5e90c37960f8a11dbcc39ad93d5f7a8c54550339994fc25087bf559c70044a6a2b26689013e4ffa91375fc76763db374f573068f90d7d2b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
377KB

MD5
5a9a324e0df3bce4ed5a924a66c9af8d

SHA1
ce62ea75e4d301f336e075b8b6846bd8a6ad4db3

SHA256
b913c45f2ea20e1886b7c682889497e4142dd481d824bfeff182bbe917477b69

SHA512
10e8d9350b1509ae4fbcdf68e7e50b973dbb86903327fbf88836430833a1e9fa4376ea6cd4db3e97d6b046f33f6f9e752ea1f7b3c8bf349e066e7450479b11f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
269KB

MD5
ee986e896e414464a501d8dd40c3cc91

SHA1
b14fb856b42c140d5981e71aa3a3c737a09af92f

SHA256
53c71ff42f63dcb36ad11aa7b7ddad0a85b6968e3b4a0dbf02968656df92b84c

SHA512
f9d78b412adac5ed31a29fc004dad7f3c60ae620e0b92e2f2eeab8c35290e800db648de46966025ec046812273b4299834bf57c0e03ad66521e9abaf058d9f9d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
5KB

MD5
135c7b96e920f208bcf566b0723b5b32

SHA1
ee3f7d84a29f70e2c60da345873397cc39f68aa6

SHA256
eba97e6130fa3e72a7653bd3a2d0ea2e4affdef5df7f32991f099979eef58475

SHA512
35a523a2efe1ef434d47541c319d62fca2215ad6c17793ac4ea1cac63320e86dfd65d1552242fc0f33d0159c563837247583f95ca43266101f2b0d4a0bfb25cc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
b296606c18ad0c51d7c9cb30face27dd

SHA1
1fcf4f464500b7aea4c2f7088c8496cb4c869544

SHA256
a919be0572681ce746978914596e79ad4ab0dbea057dcdf7fd53b5122d43409d

SHA512
2bb7e1891b0ab161f0460a68a7ce0f2b3ef4700263592174fef7698b2f426c41a72d6a2ab9751df9ff4e2647589417ba14ac38d6589d079ebec48b2dc185f78b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
780KB

MD5
223d31fcb28aa09b5961975ead176fcc

SHA1
f35db446fbbe72e06107e6dafa4904e4d624563c

SHA256
64bc661129502cc05824aa83321d343a4a0ab2599a6ce76cea18a88ef91fe4e4

SHA512
9560fa7db3a492111731180efebabc83cb2ce0845df7d01952f0f8bf9d6974db4afade6ea8f2018e4688428895894f790265cb53d2a55acb4befc5c441d8c198

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
481KB

MD5
816d41d81f1846c0fca4556e3e0b5cfe

SHA1
ff5741600052f0e13e4594f9e71c38e520cb1bd1

SHA256
f2c667b2259f3c2fba254b81b0ca81c77cf8322b345941b633ab12b621b700c0

SHA512
76107dfa129d9e410022a66d3bd7dfce96480be31cf3c380aade9208aae708eb98efc2bcec2fad5fd2dfbcf122e3124c2627c885890fb90eb4a61dc1f0472274

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
667KB

MD5
d6cc6487bf6b8de2595a1706cf30679c

SHA1
bbbff64b281d53264c85e669a3b6d516c064428e

SHA256
161a3098552d9ea7d8c5f749fb4828b6c6487bbc85d6f070266ccc8a9513db48

SHA512
cb84e1fb9c01f1dfa1f153ca27be46cc3b10395599c212b737c6e2f1d5e4fe1ff0958a9e30500853f3e7401e8e904323ed9eb262028630a6748a1845f355e0af

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
9949433e64c1e8f74c377df11ab375bf

SHA1
9df588414eed0cddb3a0ad6126aa90d9ce00d949

SHA256
b9d7743c60365092ab933439288d051ab777aa287e85db276bba711153b1bf1d

SHA512
45677454eeb2c63b6aa0967c08e8098b2e70ec2d381939ee951915b47a881baf629dca1e28573e855ef02903e962e6b96a401baf66468ed085daacd5891b0f97

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
106KB

MD5
26733c413d4e06009f38347ae7905a1a

SHA1
1fcb3f90b785a5cb2ef27ecc1f55f0733220c652

SHA256
144569992a7f1463496a46739e355813be2e0bb3ca0e04f42987aa717413a64b

SHA512
4502fa4b4c60dda66b68e124cd8d8f984c5e19dba6b93c6aa71d702d6a43a4e1d7f745d428ef88302b940bbd2546813ef6ef3c94033d130e9e76f5c0950e184f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
148KB

MD5
371eef969742f21de2893ab1d9789482

SHA1
d925fc90b90096c50e9e45ed44043fea4e083de3

SHA256
ee7a16e719d77df6aecb4053b4dba9a0f8cfa5e6958982e6d4ec89026ef01e3e

SHA512
49ed5806a4f745eaec1033f9410d241a02bcccb2eadf3fef7ef785afb810c1058ba420c638821862711796af6dc29969840d3fd77f07367ae927f25b85c5f772

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
127KB

MD5
739417833478880d973c82f795e01778

SHA1
bb968689855960558aa7db043900cf924a2cde8e

SHA256
92d075cd9c85d36ee657c8afe579c1623f894a37482808816d12ff4fe97e9670

SHA512
b1998b7bbb4507a2627db46c0c6574c9fd4316beaa95e0d898dfdd922b129700194edc517fe7d79c1b3c58a05d306e0a932e845b408a16d70c00539230b9c160

Download Submit
C:\Windows\System32\alg.exe

Filesize
15KB

MD5
db42e9a6f21aae1fb9424461a2eb1bbc

SHA1
e8d7590d5dfef49859920a9dbfbf4b6533b979b7

SHA256
248c128a6b6ff84c682cd19dde701e15efc5a454b027f6ce63f056a64ac1d548

SHA512
d17d16142055614535ec04eb9a1168e62b5aca367543adc411bf7884b0c7d200d8adec68dc18647ac1df61bfca1868026e6495497247cf7b3e92ed033928ee3e

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
53KB

MD5
006d04501d363bdfe402e585cab60a61

SHA1
a3b1faf1545002f3f568d419bc5568b3f6ea0dd3

SHA256
dc255eda9a34a11eb65f52aff32223194f8f31612e7e391bce0d164bc85a30f7

SHA512
0184e0a5e9cea151f2992ff9184f4f068a6c1ed24d8ae2d2048bf806123492f3066e5345aa1c7e302493e23525835f2900c69dc5be867d3739f93044bbc36629

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
55KB

MD5
499d62f2ae4dcfd849f434b21c327fc5

SHA1
d4a28653556bcdffa08a8f84bd00189308e4a806

SHA256
adf6fe26bb1e40a937fd2c3dae9d80e6eabcc88fbbb9c0cb45c057f38b083f3f

SHA512
085eff3d0eb88cdb37eb65753717eef8952558e10526b7d31a5a714dc63dd51179fd24d23b7a20e95ffce93fab90bf125f294e6e2430ff19e598af5452e84562

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
269KB

MD5
6b50661bac1e501649ce70d6e4702723

SHA1
e96bbbc588a284491f7536e3820b17ce107f8e3b

SHA256
d4b85301ce8c8608cf3b1abc9ab6ca5b9eb7bbaffbb5e93a96f93cb77514cd9b

SHA512
ce5e3c521b71b2310a34c13fe33c364c7f84727554e27c0f7316c0687f94a3391909715cb9666370972ad574ceadcfdb868efae5515fb75283dcd218b7b7410d

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
81KB

MD5
030c76c50aef7def84aaada2b1609add

SHA1
35e48bf2d04a9020c992f6a27fc051c7d41f385a

SHA256
5b638df2dbb602e6a89f4b075c24fd20995f116b277da16b5f204327df9ed6e3

SHA512
a75ec87cfb75d9afb7a89200111734661ae0a6d8f5085cc8351be3eec910280f2456e94752a0a17c86c7bcd201ebffa5d8673dc6d53620d4c934c6e9049320e3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
42KB

MD5
4f36ff6c9db16fe01147f86017143427

SHA1
8832ea9d550d19ca15bc5c17dc1fb8400c1e9686

SHA256
36da00d0003d39bb64ef82e14cbf8192dfcd0690af31be20ee9791ef54272c00

SHA512
1acdfdd4319fbfbb405863ce3319cf759dea5fe7176e5cca706cb767f59732b7191c988c0365bfe89bcd165a13d02854909a6a324d14ed020e71b6d75e2f5678

Download Submit
C:\Windows\System32\vds.exe

Filesize
142KB

MD5
d179acac18e6e0078af14cd535b999ef

SHA1
10eb85d16a07072c5a09fbae85b571b03c9fbe1b

SHA256
7703506b78142a2a675e8ff86c062e7927718cb4123f273f495aa5288cce475d

SHA512
239ff6a8dc0a8e81b23f877e775f39819b564e7be82c7faebcdfc9fc773121e9cd8d54c39b9044ae921f18645a69b7d7cb267ed02da1b845e7469c874c61a561

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
91KB

MD5
e9e7cd643fe6d2aa576701966e9e8c4d

SHA1
52f9309221e9cb02ecea3f9b0f075cf0d33591f1

SHA256
157889af16e4e0fe70838c06c5d9d39d64f9226e9772861d8b7fd073f03974b2

SHA512
e371d5869edfc6d80678577760275412747f8878df41ea24ea8a4b3da19cef58aff34ed43e2fe43e0ffacae640bbc71613101c5c82171e2e2a28ab58ae916edd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
92KB

MD5
1fcb60c5b6b4b4a04da08cceef124f7a

SHA1
0bf1dfad3b21e3476345d0a94fa5393500cbc391

SHA256
ae95e58f31a0f977507b77b45bea3730f763d29adccb7427c9af32895bea28f7

SHA512
b38c5c327be224d1c4eed4a5ec5da7727867004ff23879f7ba6d28442326afc34f81b804da04b1ddda087baa647c64b8ffe5ad14c27fa94370a25840d6a4519c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
98KB

MD5
58b06976da49a8d3b459f8a8921db5dd

SHA1
9c641bd5837e2090a182706fb5421249d13f8d56

SHA256
04b7af068f0acc4760a851b83b77c1065e9ca9b37f0356bc2e1be035a84f884f

SHA512
428c8f526447200078b2e82385cbc21272bbed5c07f4fcdd77564f497a0e017d434fcae7df621da4d505ed03548f3d48ee14603bd9b49e221034814b0fcb861e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\281cb210c112121a40c546f778e08f68\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
66KB

MD5
186a71ff5118af579d24ee8e3bf70b27

SHA1
07815a7d47c679e9e9ad7071ee35dcf2863a09e8

SHA256
96efd89d3451278aee48494a7b5733ee033af390dab4ab1e48fcf624209b6863

SHA512
db4dabcda91d078ed6adafd5eaadeca673a34bb06f9e6ca7fc8f81332e42fd7f9c35298ad0221c7b5a53807137fd083e86ab8e64fa161c3e2779b82b17293108

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c5c94ba9c0b56cea2d335edf1e1d2de9\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
7ecced5a422dcc246d737e8799e56a73

SHA1
adc6e82edcc80d94c32a7cb1730e36296d4a7adb

SHA256
c8bc0ecf429e265ad4f3cba07dbe71af0842738bd2cbc6243224dbf59306a481

SHA512
659eefcc9cf2d41d04cc24b1100096a4c14ff2cedadf3fa73a5772f306bf90beea642ac8f4d22201b273921619d2ee8eab056aceb55fd30905a70236f71d8381

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d0b0358b7bf6c5c9f764a653baf6b4ac\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
cbedf55d278e8fba3a9629a389d6ee3b

SHA1
35d3640c1439f96b7c5faae4a3e482a46799bc5c

SHA256
d74e36c6fff39ffe2bda4a6c033c6a6ef1045bf278d58ed429022b2bf4d7dc86

SHA512
f3892df33c982cfd73c19e534d0d69f54f8d7ce323c0e3cd44001abefcc7cbacf596ffdb3faf116550aabb24d394e04b8b346c1ff36a38e822cdd08e531f23f0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
290KB

MD5
f2cd4569b2b50b5b11ecd6e8532e6ca1

SHA1
487205023269a4960e49f2386b75bf3adfdc07ea

SHA256
71d5afd02455f8b3ee4db1afee11155868a93fc516977f91ba6c52bb546c9957

SHA512
8e754353f241604d1ee0b8788fac77cc59ac517dd68af8b3a14478c5d2b4ef07beb2133582959ba90d0667bcd242bb304ed3c17a13db5e178a40799734e93d84

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
319KB

MD5
8a9adaa3163a80e2f44f5eaf3cbbbfa0

SHA1
d3f763cea521e2fc0fb3089114047b635fbc8937

SHA256
1e1d1b3bbd38e5f91b5da060d99a81419197697e964000124928adc48f06eb60

SHA512
af7d725c654f1c829b3cc8cf2d45b0cd9d526407467a2381802a8fba6482316d95470d8eb9d1c3a31f217f59fad773136df70014576f6eee79866a6ad3d3fe68

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
86KB

MD5
0a92f9359ece301aacfd5e23efb63170

SHA1
02710c9823c1ed3c2cc06c3d04d1a6db3d256ef5

SHA256
b13f15dcf7ce1775517dac3173a46c0e4377ae1673f390d3d88aedeff7374adc

SHA512
be95ebe7fc206f0b10c04d57a0481655170e039d0b02a74c35864b934d4b8c26e9df37076e453661fb58fe60087db12304dfd531d6becb011ea9628a1ac673ae

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
156KB

MD5
04321283f1c86ffa8f45757a09e061ed

SHA1
33565c4126dd3990a44a90c41f88df699945816c

SHA256
bfbd56e04bdfd615599150da646e4ee9979e13831ceea2d8c3f57bd149e8bf97

SHA512
0a9e3bf3733329f82e4746222f214113ab49c4f7467e9717a93849802f1fc795d82fc7eb23e82e0359d8532439429fcc59a6d218b053b28b05d55a22a7cbcfcc

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
291KB

MD5
094c69d4c0f8472e080cf68e6e7d47cd

SHA1
4569c9ec247d9a4c488f0fd0bea6b49826ac702e

SHA256
1c1ab70fcb95ebaf784bf90d884af82e8acae77f23225880a38dff7c02cea09e

SHA512
9bcfb8778ee67883137e7229a47aeceebb5b4d32917f32f5bba06a4510ae4841b97745653667b4d16b9a49c4b1021b8a73c0282fdeb95f85dd6a86c4ddf404c3

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
349KB

MD5
f4112fbe2f3a8b9ebbef5d38fcaa7056

SHA1
85fe338856b570889d745c1d7636a26c0d9b1714

SHA256
4c6d0ab452c2e94c8e4f6238363f97ecc50c15f626b41c250b90589d989573ee

SHA512
46a29f5c6d18193d614a01214193eb9090ec56e3a922c340f3f2b011fd31f6df0fff58127074eba7af0ba76e72f1f306fd7af4e9fbba83acae7a2d82a6b54488

Download Submit
\Windows\System32\Locator.exe

Filesize
86KB

MD5
da2c39473459eef239e66a36f2695962

SHA1
1d2be0a79c3e441c55031724b4dd6a1385214ab0

SHA256
404a683ee37ac89982849f799f6e4905ec43515e62111e5da8667dac5338874a

SHA512
d8e42f6bdadfb07f9e72def3510b505d4abf43ca8d24773cb236d9c0e0314566c87460ec99a4ca6dbabe685c4b22aa21b4c693604c020f61db2726c233b13e46

Download Submit
\Windows\System32\alg.exe

Filesize
541KB

MD5
87b05414a29af04f00fc7f0af809f48f

SHA1
3e55c20bd94a01f9f7a03fdbc0cd3fe04ef0382a

SHA256
65f0966a9e39d6d9f9ecde7d026fb6d203b22f56031e30f3ed8841ade35c60b2

SHA512
203867df9362fd565f69ac3ff186ecadff59ede6ab39509d06961489892ee6c8f1f7538bd597ae72c73afe7ac7b6900a4296b273c8e92055421012d8a22bc674

Download Submit
\Windows\System32\dllhost.exe

Filesize
50KB

MD5
799447cbb446f9f4af1b94151e5515b1

SHA1
97767455458f4db6bba3ebd6e71863ab7145edfa

SHA256
61211a33578511d6351e4ad87d910dc22697f601e46983d2b028115d8bfdcb67

SHA512
ed4ef9f349d70bf59dc5d73bdbb11687848cb5466c3a6ddd718af3740e65f15933fbac289db9f5beab2d28230adf2dfb2b5655e92dfe02878b67639750a9e687

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
111KB

MD5
7672935da26290159b3e8ee574f20ff2

SHA1
4f39614c6fb0f4971eaa7ffe4f2d88b9f5d38c1c

SHA256
fc05f4ab7e7abe965a2419c6a9adf2963b6a2b995da90c7616d578db176420c2

SHA512
db44fa4c7f217c6c09940cf8d2208386ec5ef5efed00679129df9820ec2b06d0b6f7b4bb4b405b517b66d578b65ff135b7eb06afd11099c457b3d43c22493532

Download Submit
\Windows\System32\msdtc.exe

Filesize
78KB

MD5
a75e8c28cf39559ffba462b7ad5295d7

SHA1
f77390d8ef7b5103c3ec60781d6df93813baee6f

SHA256
643c23954b49c958f540fdf3328936258dacdb68c9c6529d319e111d6938c8d9

SHA512
44e1020f6cc2f81d11f5dba2d18847b86471356b0e379367608928a5ee5810e1d980545ff79496881e5275a0f488d8ca3c7eb383146a5c5d079cd7c11efb8a18

Download Submit
\Windows\System32\msiexec.exe

Filesize
74KB

MD5
600f3d714dddac55329eaf81ac2d7b76

SHA1
95a2b6bc592144dd4837da4b432deff83926eff1

SHA256
6ed01241c8209c4264031e6558ee9ae24629d96927dcd35986bc8566a7d7e76d

SHA512
6988d8985554760e0de1704f1406b4598b4d5207971b15555855ccb7e3cec70b087a3eaac342b8b3471dec312b4eb06b73df0fedf79231aee9ff8ac84e39b237

Download Submit
\Windows\System32\msiexec.exe

Filesize
157KB

MD5
3e6d365a680ac8189e0611333da0f66f

SHA1
cf98b69a97cdd0385c83dcba26f231a1a95ea65b

SHA256
ebfaf5564f0ce0067fbe2ec76746b3c1f7fd9bd6a1d8c651da6d4e96083d3677

SHA512
b09506253394a08e3edbeabee2bb6bd25b2b88f5db466fa2047741c146cb7ef2d3081197cb3e7cfd156acaa4402ac2e02ae2728c77996d27e719056704ff173c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
49KB

MD5
062ec9bb1ded3d2aee3876b594007b9d

SHA1
ed77d9b92bbabc7a7fd2f661d952522df6d06288

SHA256
9518cf61242ecf4387b31834784093df479604ba5cb4699cd2cc1005269aa3f7

SHA512
a333b60d07527d745a9ad0b9e998e24973f4b93fb35cca0af877c71ab5ebdd5b551ea5c34bf155518578a146312b0b16d031307abdb994d9558d7afb124366c0

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
72KB

MD5
f1507da90f186dddfa567817dc3b4998

SHA1
cc4913a894b07733a30f87025e2408c5ddb32c67

SHA256
b08e67800b028ca34a4514cc2daef2a28b825301e72420e08c6c0cee6f5df9db

SHA512
c84308bc98356f5b0d0ff1cf1e1ace6c79cabb5400a3ad926b41292fc8bf20ac50efca936212b34edcb0389d9d225775c3ef0ba8ae463bff6e066628c4e053ee

Download Submit
\Windows\System32\wbengine.exe

Filesize
90KB

MD5
9e0eebcb919f2ca2a284e0632f1bdc03

SHA1
a66859ced2510e1360ae1769cdb7d8798f2b1bd4

SHA256
3ca70c29f4c7d880c37973cdcb28f49d987dfac02813d2937f7ec52881193794

SHA512
1d1965ffaf48b67d6cfd83b8721923cde528e9f6096ca753b64a886000f21fddbb86f4098d55c4614eeb0b088e94c922918075216acba0937503119c3ef990a3

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
296KB

MD5
9087991f683b292299b91eea2305f221

SHA1
f2afa5e25b8de3df7a83f3eeccc04b3827650084

SHA256
9e9e7619d1a9ee99ee432041c08d746e8b6c65e592a4e2fd3df1cb60ba0f9635

SHA512
3baf7c7f66b4bc206cda7109ae5ce05b3c120eab1ac5e89ddb4bb3e922332dfe9f5fc6cba0629f0c27a31839dd830a8cc0ce11fc1b3f546dc4f4a8816b80d261

Download Submit
\Windows\ehome\ehsched.exe

Filesize
235KB

MD5
487f50ca4bf27ce92d44f1068218b6f2

SHA1
6dff4bcd68ec5c1cc24f1b08c8e5304a38de853a

SHA256
e10844e3758a275796e221f62cc3698d3b35c6a6347dc256eea47a23073d76e1

SHA512
285c92e22dbe44c657ca62649023847e19ba723e24b4ac764152c071af04dce2a327b4befa53c25d4305f3db3e0cef96bd51158c87452a876165fd5ce2120031

Download Submit
memory/288-319-0x0000000001000000-0x0000000001137000-memory.dmp

Filesize
1.2MB

Download
memory/288-321-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/768-324-0x00000000744D8000-0x00000000744ED000-memory.dmp

Filesize
84KB

Download
memory/768-368-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/768-304-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/768-309-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/768-311-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/872-237-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/872-174-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/872-182-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/872-177-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/932-210-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/932-272-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/932-214-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1016-274-0x00000000006E0000-0x0000000000833000-memory.dmp

Filesize
1.3MB

Download
memory/1016-280-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1016-344-0x00000000006E0000-0x0000000000833000-memory.dmp

Filesize
1.3MB

Download
memory/1016-270-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/1016-335-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/1228-167-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1228-184-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1228-163-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1228-220-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1228-175-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1228-158-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1228-172-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/1336-173-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1336-93-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1504-208-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/1504-287-0x0000000000ED0000-0x0000000000F50000-memory.dmp

Filesize
512KB

Download
memory/1504-216-0x0000000000ED0000-0x0000000000F50000-memory.dmp

Filesize
512KB

Download
memory/1504-263-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/1504-204-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

Filesize
9.6MB

Download
memory/1504-206-0x0000000000ED0000-0x0000000000F50000-memory.dmp

Filesize
512KB

Download
memory/1504-268-0x0000000000ED0000-0x0000000000F50000-memory.dmp

Filesize
512KB

Download
memory/1620-213-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1620-149-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1620-145-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1620-140-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/1624-364-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1624-361-0x0000000100000000-0x00000001001B5000-memory.dmp

Filesize
1.7MB

Download
memory/1704-242-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1704-249-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1704-238-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1704-248-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1792-113-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2104-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2104-227-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2104-291-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2336-252-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2336-195-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2336-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2336-188-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2356-2-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2356-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2356-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2356-0-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2484-328-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/2484-337-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/2612-126-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2612-198-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2612-132-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2612-127-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2620-293-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2620-359-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2620-297-0x00000000003F0000-0x0000000000457000-memory.dmp

Filesize
412KB

Download
memory/2764-161-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2764-12-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2764-18-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2764-47-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2804-264-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2804-254-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2804-323-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2876-351-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2876-346-0x0000000100000000-0x0000000100137000-memory.dmp

Filesize
1.2MB

Download
memory/3036-103-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3036-97-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3036-96-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/3036-102-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/3036-124-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download