1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
Size

1.8MB
MD5

31eda057c7105641624cf18e68bd613c
SHA1

2e57f65ecbbbfb2d79c6a693b72aa0f4d9deb3a6
SHA256

1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc
SHA512

72fc3bb9bc9bb80ef2998c98b87f5a2c63efd53aa636c69e427a8ee12cd7e8f135acd58ff401e7da9c5cb68353a3c1c415e81fd0133b3f40ab20725a311e2f01
SSDEEP

49152:/x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAhjGyqsdDMnBx:/vbjVkjjCAzJSjGvsdM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2976	alg.exe
2516	aspnet_state.exe
1200	mscorsvw.exe
2032	mscorsvw.exe
2348	mscorsvw.exe
860	mscorsvw.exe
320	ehRecvr.exe
768	ehsched.exe
1076	mscorsvw.exe
896	dllhost.exe
1252	elevation_service.exe
2596	GROOVE.EXE
2352	maintenanceservice.exe
2368	OSE.EXE
2360	OSPPSVC.EXE
812	mscorsvw.exe
3060	mscorsvw.exe
2228	mscorsvw.exe
2780	mscorsvw.exe
2072	mscorsvw.exe
1872	mscorsvw.exe
1576	mscorsvw.exe
1568	mscorsvw.exe
1088	mscorsvw.exe
2344	mscorsvw.exe
1068	mscorsvw.exe
2456	mscorsvw.exe
1292	mscorsvw.exe
600	mscorsvw.exe
1964	mscorsvw.exe
2272	mscorsvw.exe
2096	mscorsvw.exe
2844	mscorsvw.exe
3048	mscorsvw.exe
3052	mscorsvw.exe
2576	mscorsvw.exe
2536	mscorsvw.exe
2408	mscorsvw.exe
1188	mscorsvw.exe
1760	mscorsvw.exe
2200	mscorsvw.exe
2328	mscorsvw.exe
2576	mscorsvw.exe
1248	mscorsvw.exe
1312	mscorsvw.exe
3028	mscorsvw.exe
1736	mscorsvw.exe
1612	mscorsvw.exe
2944	mscorsvw.exe
1804	mscorsvw.exe
2312	mscorsvw.exe
1536	mscorsvw.exe
2576	mscorsvw.exe
2824	mscorsvw.exe
1600	mscorsvw.exe
2512	mscorsvw.exe
2032	mscorsvw.exe
628	mscorsvw.exe
2068	mscorsvw.exe
2796	mscorsvw.exe
932	mscorsvw.exe
1536	mscorsvw.exe
2848	mscorsvw.exe

Loads dropped DLL 45 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1312	mscorsvw.exe
1312	mscorsvw.exe
1736	mscorsvw.exe
1736	mscorsvw.exe
2944	mscorsvw.exe
2944	mscorsvw.exe
2312	mscorsvw.exe
2312	mscorsvw.exe
2576	mscorsvw.exe
2576	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe
2068	mscorsvw.exe
2068	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
2848	mscorsvw.exe
2848	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
1088	mscorsvw.exe
1088	mscorsvw.exe
3060	mscorsvw.exe
3060	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
768	mscorsvw.exe
768	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
696	mscorsvw.exe
696	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
1384	mscorsvw.exe
1384	mscorsvw.exe
1696	mscorsvw.exe
1696	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b4da3472323b6587.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_ko.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_sw.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_iw.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_th.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_mr.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_bg.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_is.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_pt-BR.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_gu.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\GoogleUpdateComRegisterShell64.exe	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File created	C:\Program Files (x86)\Google\Temp\GUME53.tmp\goopdateres_es-419.dll	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF9AA.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP204D.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP561C.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF0E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP318C.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP638.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP13DE.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP32C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2752	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2968	1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: 33	1608	EhTray.exe
Token: SeIncBasePriorityPrivilege	1608	EhTray.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeDebugPrivilege	2752	ehRec.exe
Token: SeDebugPrivilege	2976	alg.exe
Token: 33	1608	EhTray.exe
Token: SeIncBasePriorityPrivilege	1608	EhTray.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeDebugPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe
Token: SeShutdownPrivilege	2348	mscorsvw.exe
Token: SeShutdownPrivilege	860	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1608	EhTray.exe
1608	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1608	EhTray.exe
1608	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1076	860	mscorsvw.exe	36
PID 860 wrote to memory of 1076	860	mscorsvw.exe	36
PID 860 wrote to memory of 1076	860	mscorsvw.exe	36
PID 860 wrote to memory of 812	860	mscorsvw.exe	45
PID 860 wrote to memory of 812	860	mscorsvw.exe	45
PID 860 wrote to memory of 812	860	mscorsvw.exe	45
PID 860 wrote to memory of 3060	860	mscorsvw.exe	46
PID 860 wrote to memory of 3060	860	mscorsvw.exe	46
PID 860 wrote to memory of 3060	860	mscorsvw.exe	46
PID 2348 wrote to memory of 2228	2348	mscorsvw.exe	47
PID 2348 wrote to memory of 2228	2348	mscorsvw.exe	47
PID 2348 wrote to memory of 2228	2348	mscorsvw.exe	47
PID 2348 wrote to memory of 2228	2348	mscorsvw.exe	47
PID 2348 wrote to memory of 2780	2348	mscorsvw.exe	48
PID 2348 wrote to memory of 2780	2348	mscorsvw.exe	48
PID 2348 wrote to memory of 2780	2348	mscorsvw.exe	48
PID 2348 wrote to memory of 2780	2348	mscorsvw.exe	48
PID 2348 wrote to memory of 2072	2348	mscorsvw.exe	49
PID 2348 wrote to memory of 2072	2348	mscorsvw.exe	49
PID 2348 wrote to memory of 2072	2348	mscorsvw.exe	49
PID 2348 wrote to memory of 2072	2348	mscorsvw.exe	49
PID 2348 wrote to memory of 1872	2348	mscorsvw.exe	50
PID 2348 wrote to memory of 1872	2348	mscorsvw.exe	50
PID 2348 wrote to memory of 1872	2348	mscorsvw.exe	50
PID 2348 wrote to memory of 1872	2348	mscorsvw.exe	50
PID 2348 wrote to memory of 1576	2348	mscorsvw.exe	51
PID 2348 wrote to memory of 1576	2348	mscorsvw.exe	51
PID 2348 wrote to memory of 1576	2348	mscorsvw.exe	51
PID 2348 wrote to memory of 1576	2348	mscorsvw.exe	51
PID 2348 wrote to memory of 1568	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 1568	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 1568	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 1568	2348	mscorsvw.exe	52
PID 2348 wrote to memory of 1088	2348	mscorsvw.exe	53
PID 2348 wrote to memory of 1088	2348	mscorsvw.exe	53
PID 2348 wrote to memory of 1088	2348	mscorsvw.exe	53
PID 2348 wrote to memory of 1088	2348	mscorsvw.exe	53
PID 2348 wrote to memory of 2344	2348	mscorsvw.exe	54
PID 2348 wrote to memory of 2344	2348	mscorsvw.exe	54
PID 2348 wrote to memory of 2344	2348	mscorsvw.exe	54
PID 2348 wrote to memory of 2344	2348	mscorsvw.exe	54
PID 2348 wrote to memory of 1068	2348	mscorsvw.exe	55
PID 2348 wrote to memory of 1068	2348	mscorsvw.exe	55
PID 2348 wrote to memory of 1068	2348	mscorsvw.exe	55
PID 2348 wrote to memory of 1068	2348	mscorsvw.exe	55
PID 2348 wrote to memory of 2456	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 2456	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 2456	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 2456	2348	mscorsvw.exe	56
PID 2348 wrote to memory of 1292	2348	mscorsvw.exe	57
PID 2348 wrote to memory of 1292	2348	mscorsvw.exe	57
PID 2348 wrote to memory of 1292	2348	mscorsvw.exe	57
PID 2348 wrote to memory of 1292	2348	mscorsvw.exe	57
PID 2348 wrote to memory of 600	2348	mscorsvw.exe	58
PID 2348 wrote to memory of 600	2348	mscorsvw.exe	58
PID 2348 wrote to memory of 600	2348	mscorsvw.exe	58
PID 2348 wrote to memory of 600	2348	mscorsvw.exe	58
PID 2348 wrote to memory of 1964	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 1964	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 1964	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 1964	2348	mscorsvw.exe	59
PID 2348 wrote to memory of 2272	2348	mscorsvw.exe	60
PID 2348 wrote to memory of 2272	2348	mscorsvw.exe	60
PID 2348 wrote to memory of 2272	2348	mscorsvw.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe
"C:\Users\Admin\AppData\Local\Temp\1f473cfb03299ec5d8408c094214aa478e5aa570a6bc74ab9b8f3a20bcb745bc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1200

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 200 -NGENProcess 1f0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 258 -NGENProcess 1d0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 200 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 268 -NGENProcess 248 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 270 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 204 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 280 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 278 -NGENProcess 284 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 284 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 204 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 244 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 29c -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 204 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 2ac -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 204 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 2b0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 284 -NGENProcess 2c8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2cc -NGENProcess 2b0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2ac -NGENProcess 2d0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 27c -NGENProcess 2d4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c8 -NGENProcess 2dc -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2dc -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2a4 -NGENProcess 2e4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d8 -NGENProcess 2f0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 2d4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d4 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 314 -NGENProcess 30c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 36c -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 378 -NGENProcess 364 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 380 -NGENProcess 378 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 370 -NGENProcess 314 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 35c -NGENProcess 384 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 358 -NGENProcess 388 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 364 -NGENProcess 384 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 390 -NGENProcess 35c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 358 -NGENProcess 394 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 398 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 37c -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 3a0 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 36c -NGENProcess 3a4 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 3a8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3ac -NGENProcess 3a4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 390 -NGENProcess 3b0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 390 -NGENProcess 398 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 36c -NGENProcess 3bc -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3ac -NGENProcess 3c0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 35c -NGENProcess 3bc -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3b0 -NGENProcess 3bc -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3cc -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2848

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 244 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1f4 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1dc -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 238 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1ec -NGENProcess 244 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 25c -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 278 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 238 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 264 -NGENProcess 278 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 238 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 238 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 298 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 238 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1dc -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1760

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:896

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1252

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2368

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
3435a1cfdabfb4eb348f020c92daa4b8

SHA1
59b965e6f855b7b096df7390d00cd98749fc68d7

SHA256
914c7326d41deef9a7bca9adc2e83ad23805bf1d42449f564867388f6f18e285

SHA512
177a5592cb531c9e9684f50450050c8ce309cc14d1a3e6bfa0c66e615ad6e337b8fbdd473712b01e518f9670c494597e67f7ec66f8ece319d6ae7caca459f068

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
c1cd9e47788819487fa305b199baa8e6

SHA1
be45f332adf69ce81f4996b39dc08f6ffbe67ed9

SHA256
ac7f08068b16e36c31c149505497c0a4e6e2745db1fb8e6417698ea9c8a55f7c

SHA512
c5c60cb5d62e8baa3f57f2dd31a81b5f075715ebec3a572c173276d821a95ad8d46da4a1911395a5a9bfe5cda63dd9f184f5e449c0c478999ff97f1a9a14cfbb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
79dec3f09a041dc1fee30f7bbc7fa86f

SHA1
b01620b8776780bcddd994a5bb25761c774386d6

SHA256
5b3cc25c5474f68c158867b61765bd2765af95067694cc27057721d0887b4c11

SHA512
7230d2c697450f3ec9460e5f8f6883065e1b4e87e84ced10c7296dff0eca4659f969926d8f181596d38dcf867969f9512bdd62c6595241e292a7ec14f3354d65

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
77df1b17558278e7595221d205864b3a

SHA1
402634f6f7d8d1a99fa89a85ab6b6396b895e6eb

SHA256
22c46e7368d7dd3bae001c90e5c4527ff5a61409272d1dc89db56666ba2ef301

SHA512
3158b34eb67cd13ace5756f15b21bfd42d4f76eda56d622ed0af02b1f5c16c5c4c0968d15450dc12ce62da4a6758726ef0762e01a29946d571409a97a857c7bc

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
bd6326aea96a54920d6fa7993192d020

SHA1
b7b00cdc841535eefad1c67ff5e31c72d2fb59ae

SHA256
c8d5b5996978f155924f518e89c66c9be18c77cbf5fa85616ed5cba181db310a

SHA512
abf421f130d3b56a02b3a7653ef7cfeb817e1c3b14beb2262f2183e545bd7d533d118ea43bbf8a327aff1e7726055c163e53f92092f1eb45070454028133b8b8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
6.4MB

MD5
d20b3bfa816cfd92d0046544a59920c4

SHA1
f8233f715e4ed784e84d8be99d6d4518498a0274

SHA256
7456b3ed2fc878c29d5a8299f8c742c4e93a32c244f0066687856a829d8b8099

SHA512
2e460541f72050f344853299ef12755caa450ee6d3bebd591e1b64f6563ad5693f66e8c72cf99bd0c32107c108f6d07d13f227d451acbd160492b6de1e6f1ebe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
27f9dfb4c1e3b3e6f0135a72ad253a56

SHA1
350da24c2293bcf913b58ab9a3b2b8c74c577f65

SHA256
8779a4b7bd5f7d7ccf74148087f03ff14b599e80f03aba1923c04ad714c5bbd2

SHA512
6c5d08771790ba0c8a45abf0585222cc5dad928f7ecd80321e58ae45c8eae08f759ccd2f73b2b74673eabfb39374125ec1cc21a71746f39bb38e6b9bfe0be98b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
634KB

MD5
057acfc8bfc281f2283e995bb81c8cee

SHA1
1cb22f71a313eb72b3cefd42f08264102bbc72cf

SHA256
3a813a573a2272d6798ede35e869754e03c6c39423ac349b257d1fcc2010f420

SHA512
52335964f86885f2b49ae842649bba14b53a4a1594524786ef892dff2a711e237d55508cf8c8927d902cef7a0fbc39055624781ebd4eb6f07979ca64a4fe95a0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.0MB

MD5
b80704239f129298aea1f2c854962b1b

SHA1
bfb0f6cbdb81c4cccb84f9b48fe3bcdfc71806ab

SHA256
e0ac0f4df3012a41efd6122bc7df77924998373534a39fdfb8ce822b0910fe19

SHA512
e955936abdd4661fe78c68d606cda37c4e8b7e89d38bbcf1757e6dd74a398067d2f805c118e72fd7c92d019a9e442fa3c8aa57a8c0df3776c0057e5bfb41efb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
b662fcd17210bbcc9aadb34e34bcc832

SHA1
6aad11b1b77a7c6c83f8f3fb46a2433e70ade86a

SHA256
09a4b3adee035fc1054ac3d0219c7e78649a338f4c4ca5060b089ae6783afddb

SHA512
819d36c449c0a2da946e9ea5997c3f15fb45b350e422938f62db61981936418564d45002778ab1e1d8b1028fff334418d6f0bf5d41648251f15d684140337bb4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
02635b187fcfd507fd04b7dd6711b062

SHA1
04c2c34fd64c01277e0c0a214726e395894e01ba

SHA256
7cb0224c4b99deef50eec7c9bd248d1db17c640a6569e87091977773fe291210

SHA512
c17c49cad7c59d6d4851288f4ca64cf01ecba69dd9bb0336cdc415ac521e325eaab90cb9b49dab9e73f5ad68f170d9911e476487d8612aef401ee60899aad964

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
583KB

MD5
9eb2cb7e9c69dbb48a3dd552ef013d1f

SHA1
6f51997ca7d7af62cdff62366f07b98693500585

SHA256
ac24e6182eaaa6c95ce4576b4ced1683e2692c5df0da1d0abc3672147b0d44da

SHA512
9864dc4806d655551f44b66325406f36bacb690f97b10afdc344a6102e8963cfa57ed289a69ae0e45fad94f6ed0fb373b19333ee5e687cb8fbb158e34bc6ebc0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.4MB

MD5
17569676327eddfbe07e443dffa73766

SHA1
07452518e77d38016c5bfc8e9c99266665668222

SHA256
f5838982d295681c1ed5adc5c8a064e90213c53cd85bf995dd0d9a029081e7ac

SHA512
c38cb80e89bc807d36a78aa1ab72420f0bbed8abfb2873eba0c758ed30b0d0df6f72e9e4e1417c2132ee05d10b329b28f90bc8be46d4a307a67e73108c9f6ccd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
429KB

MD5
57a242cf348bf261fc0194ffe3a3c9f3

SHA1
7f768fc7603d3e867c42bc15f5282bdff11d418c

SHA256
c9a1482cdbf28bdd719250470ba8a6a3e7631fdad7ca5ecedfba14b052cd168e

SHA512
3e8e13e6032f4f49f1bf46491f4348dc8c40c3043a106f0b607ebd2b865e4de2c26c947f8b99d50b25852a36ed65f3c5e09f2030c08709a747293f6251ec1dce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
611KB

MD5
ea6d15184fc907c92a85b115d2944828

SHA1
b181e62399397e488463635794ca86a100c63352

SHA256
22a1431a7bb6336ba903343135a9d30007e75316d8cf7220ae102e5f335412de

SHA512
4cc02452c4b95e1362de1ab6b6dc5d7af7a74b11d8580e7a9e3f6ccf832aa88a2eda9bab69b508f089c595171c315249fe94003aa3e291968bf5c09d1aae29dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
afaeecfc220dee805ffa97c765ab6f5f

SHA1
55315392e543efc0aa6ad4d9517bc1d77e962081

SHA256
135b6c63ffbc5342ff9d5a322f2dba07d301f159c5b771676153402e9c3ce862

SHA512
ffba9405d26088442960a0c377c733ce07e3014ddbe1690de7b28177373cee0c3ab4c9b50d8b9a6a78b690eac51e238bba1caa53ec8784715b669f53deb38318

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1325666e86735264672c5f5d5d0586d4

SHA1
e5c0798b065a9fd37160998d4e0b3b04601d952f

SHA256
aac434567d5551526d3baa5dc1d8ec10aa345cfdc1dc660666543590d3f52bed

SHA512
f60160652f95b46a0681a38472eaa6d0bd7a5c57646154f7c29aeedabaaeaac30fcabab7e92899a122b02098a11fece81fc50703221c8feb4b6e03d497bc4a3f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
698be1fa98a69d166199a4fdd52b9cb1

SHA1
0e35ebbebd0d917963845b56aa279deb5474d0a8

SHA256
b60c31bca2453471f247ab77aecb7befc525ea27dfdc6744a5473785e76875b5

SHA512
70bfad200a63d39c0384931b16c664045c32d4f772de19cc615878ad0b2f8e75c86c466481a67fcbfece15309d6c3ec7133ada50df7437d00c4f342989c5c454

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
edb392d4e544ca82229c47a369d0f827

SHA1
b1f5883f3e5560bb8bcc11a9855ec6954782a06a

SHA256
0a84c68143dd79f55338a80d5a8e91c9c52168c41e1948371aeea8a4ce319cb2

SHA512
6071f9a565fad5a28a13eda30fc9927d1b702ee28d5caae2484e58fce334b9bb588082155a94be56795f7fc7d5b5cac3934fc64ab037127b490990b4c1ef5873

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
fc61bba0025e87ae3bfff5759e11be7e

SHA1
974f58b7227b2b3808c4155c7f06395573783283

SHA256
f727475cddd6010f9d1d384dbf3d4df801e3f24628993055870e0152e87d5317

SHA512
4ac98ea900ef99e5529f51f2ef429382c1257afb1f7f4aa7db56dc85f9acf35beda32ad3b4d9230f328fb92f5a4122b87066122f979d2fe259a131851194c3e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
3aaee92e63dd975564875554bd6fb761

SHA1
d576d4280f45b4de535e322a87453d8193d4c83f

SHA256
91c51e6daece5f13cc14414fe0de4c7638f19419df40c04bbc061552c232bae4

SHA512
f5a7bc1956fecc030677d2ac79b5f90d9d1442d73882606808a0234ffea8639e24f15e89c71c73a1c08c77088e3a9b55f994c2b23c1f995ddf06bdd2ab083c84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
0782a8d31717833a71d1111df4d4e91b

SHA1
c44936330c4cc5298c20621d0e6cdbc3d07c58ec

SHA256
63e8123f9bf031cbb6b46ebe7f82ee4241cecbb944a1f70e78f460fd2cffc92a

SHA512
92aca3872fd29defc932631eeba2c445fbc1ec34a9c1a8ca014f356f01d9c2aee38e6623dba286a939a58baec9f02f3700844744fc1c4776c89a9195fc3fe16b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
272c2ab1500cb891bd9c826db066292c

SHA1
4ce16cd55abfbbfba90a502aff34115e305f77ca

SHA256
6cd69abd8c637111656c4a4c936aae9237fc51e0aa819f940580f4f55c7a268b

SHA512
621f93b81d2eaec77ad582a9589828a6756fbe8f775bd76bd2d21be19e0c784fff0e97ec8403887d8c6a74a4dc7fae36af7ae2eaf5f21d17609b7399b993d4ad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
276ec4dd7bd3a8ede0d5e465549687b2

SHA1
5928c523cf734f753e59d3d9b7758cb68685c73a

SHA256
47d6b10e49d254e0f665c92b34516835369fdb9494b81b29d6af330a97ddab22

SHA512
d9f26d8ec282d2b4c9fc4934d23d7d6669dac3a30442f5f6f37f977b1d7007235818b7784cf2ff73ff6a4b6c8219d266cb10ad05b0c6d367462783a152847fc2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
941f60f8e527dd8ed4c5b0aeb6bacc52

SHA1
f98b3c114c957527c45d4ae683090ac23f8d93e7

SHA256
33471b8b9ac0fcfb43a1c3cd596a3551ed4138742010d264125f6da30ef8119f

SHA512
c9a1f475c25667d8b807c2517d05dca99795e00ff1d848b1b88d148c2122c2b2ad9eca21c23870132fdfc8273313128b5051c14bfe59d361ee055ebea3d9fc5d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a751a085c3912108d396a4e16d6bf571

SHA1
b20e3035dc90d370fe066523b1111b8161070d92

SHA256
98800a7b4a54f5be9e63a5871db5d73683cc20adca3b9f351580614faff00f9e

SHA512
35d6a4f9549f5bd616d177f32716b72500d542248924c9f671c19d48ffc0c1916f14a9ae8436fa779a29b98832571555ce211d079b6d305acd7ec408e0a3b25f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b7364f595940c0c91a475da836b5de9a

SHA1
b8c1a654c879912211fe95d6d47865be67b81ccb

SHA256
8302de3bf16ffc7485ead1ec58190d6ec99603ab50ab9227f62e50ba1d846dd6

SHA512
896f8fac6eb96c38cc40c54325c9e856b115d1839be6a9debfa9e3a94dce2c97ca0c4e87a53e5adde697d20aae54f5bb6da360b83301a76ed81e3c625a4c325a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
558KB

MD5
799dee8f7eb46ed2fbf8a68b71c32e8f

SHA1
9e113c7578b2473d853c8cf8649b2cc463eb7c1c

SHA256
cda68056f78d6079f1f99e63fcb4c9cfc5a452d9184d1fffa6f243613629fb7d

SHA512
9d69d99b7090617a754de6a0807bcec5577864659663ec7bf26a1f58dbc3df86be835646d64d136cef50497f8d34b0790246aae348ae5554cb5857b99ba2014a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
316KB

MD5
29e4d890f2cf90ea3a7f33adb9cf36a5

SHA1
f9d8a63dbcf3a55c04929925fb9d3def8146a1ff

SHA256
dc7173698e9657ad0e7a5d0c09daeefebb5ffc09bf528d21409c07ee9dc822d4

SHA512
8f87011738fd017e21f1d77cea9096c5235536b70085416d99854e7012b2a9f0f88634cf3e1203d25fceb0f457929b568ceaa0903ce0a4c743c5d92e35d592f4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
326KB

MD5
83ce8f9a75ef9640ecda3fc1266e30f4

SHA1
8d8b980f27158dee479c02ab988e2d4b5c25fb98

SHA256
e8c0c66d10bd9b3b7d64714bc4ce79d6a81b875de98ee4322b1c41359ea4df04

SHA512
b26ed4b8a3195a1782145841c7ee21ae76c02b99cfad4d690cd36ab70729b8b3617e879b62cded1e4ce5017924678a4710478bd34f20a134f26e8447cf3de232

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
119KB

MD5
18c2eb17e85bdfa4123b33435ecaa5e6

SHA1
4d26fb62349fe3c668914bfc090d9ab8ca8f9251

SHA256
2ead29da97a0c147f4ac1eb5a29c76dd25c7219188fdad5daae897b0a55fcbef

SHA512
d4de1645518132610867d1ef4affac0fda783e0dd417dd440ea4453059a1ce6474e7ce34dd0d1b827ffa54f93e837619135243be96245e356d87b25ab9f14c0a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
102KB

MD5
669ce18dad03ec902829cd98681899c7

SHA1
3781356c564101337bd102dc88416eea095df23c

SHA256
f43418c1341fb99102c62e950d3a2652056338193f6aa3c8719d08e85f3a67a0

SHA512
c947a14e1c6ca3c62d26c0446cb238a7b8335d8f4b1101074ceb131fa60b04aedb3ed87d059eb166025a221a28231cced51c340926ca9d78d4057e6ae51a03e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
41KB

MD5
d054a511196adc3536a64c3359812e35

SHA1
d2dfc7e53a6d8bdc82f65d70f2433d6923c8307c

SHA256
ea18acf8f5e2d7f6aacb17f6327d4c350c1211a034663968167db3b50b6e7d69

SHA512
ff86e8a9f4e2c77b94e4c3777879fa8e761acb3e0e052f8110471838c3e79e9704f5b01e08d2c0cfd8a22be15b95f7bed9240e5d50e15789ecad82a4b3969458

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
305KB

MD5
89e0e3bcfaa285f3ebcfd1745af0c1a3

SHA1
327ad8dfdf0176f7115c95c0908014a0be42ec7b

SHA256
60fb09f28348b292aa990f8e39f5ee55e25d610c7b6a69431e0138be81cbc515

SHA512
33c5643887d991e656495804982a1c11a1bf704451a054b5c13e5d5b0fc19a68ad21d3d84c4204fa6d9bf6ef3773f0b56b6b774c765c0d40cef461c51cbae0f9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
94c821ebead5220793bfdd1d5fd05907

SHA1
aecebf67e202639103bddd2166cbde6f6df6aa9a

SHA256
852ec494e890cbd7af067a725991deb314a2597bcb85630660791266ad6e96a6

SHA512
c1af172c44afb7fa8665053951004508b8a62f20771f916961aa4a2eb950d92b4a4cf520c34b13e93a09e8d7be50530181bd3948af9ea511a027efbc772332ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
200KB

MD5
db4eb184e9e14e8a9c08454760eeef52

SHA1
0a8aac1121bccaf319babc70445d7d92c3e203b5

SHA256
17b0e5a4851dcb17c5213f7901618a1b1fb105eeb47468f5cb45e38eb4480d11

SHA512
a2659e97f716762d101f829ed62d11ffe85bd6f46b5962737fc9202e25e33c864eebb5296ee7be4dba1014b05ef9f271efc41ed8765ec0420814ddd1a4bd0147

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
242KB

MD5
66097ad72210e4dce4d5fd132a102fa8

SHA1
219436834e433114560f7d864c7f95cbafef3647

SHA256
07b9b5b77372c5eac1443b5b4b8f914707d27a0c0b6748838ff57b9fa2ebfc46

SHA512
a4aa9f526ceb75d15899f2e535e4dc34765f96df3fec21fe11af20df91c7c33504168ed2919e789726154e24fcea34820d637d99ad9419daffb07948d0967687

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
174KB

MD5
6b601dd1cf3214718fd0056916a27148

SHA1
f25a338a4e8bd0612093195b8eef1ef87ee07ab0

SHA256
a9a5b66f70a1e98fd486a06b50a2c983f3dcb1485f3aa1f4a6b58f1fa891758c

SHA512
4336b2275c4aca06d94798cf9d25ba12fdd33c9f9f5af8ce16e32a528969ec356bd4533ae5b681f6a50b5acc2d70c490f905866ae567c9be1ebdaadc1d1008c9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
140KB

MD5
59435224736218965d8321fdb0c0e6bd

SHA1
007c15855fcd55d029c41b81bd61cf9893612c25

SHA256
442d4f7dadc10f59b2fa5296d382c12c696031bfc5f78694a6f9ffe9d103563e

SHA512
00ceabc8ba649175851cf3fb44fd554a33a32a69a6c29e4ec599aab87a5c08f5b69b79257a45053d959fb7570257d45864ddbce5e1654964b002aea88d7f1430

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
100KB

MD5
ae0faa0ba6c3c1baddbdd75b28ef08d1

SHA1
2a0e8f89053cca10dd933a377f1d8c684e87b3df

SHA256
14b46238b751ec73b17a5e98b18a9633449f909bd6d46fb6e84f0baf2cb76f85

SHA512
9b3364a51f79544b64b468f8fc4083b884ddd944d9ddf7333ab5cb8b2fdb3126ddd422832d146a49e941f10f73778f21f856aaff1cb6ae4513dc6cb64af5f5bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
66KB

MD5
9a4ede1066c800c0f407f3f4362918b9

SHA1
e38db6731d82326d947bef31ba52492e2efe4024

SHA256
b0dcfc05acf48230b0aab8448296b78196cb63f430085191aa06cc7ab1a0f72b

SHA512
d7b73846b7015dc7ef35ea80ac188e831f4efbd2e396b1b10d982ba678d6f96d47b72d8f605d36db2b91df62e7c9e3e3e6facd53c8e300392bea4ac85f0fba3e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
f8541e0eb32c90263a0353876e80ab71

SHA1
1c1d4a36442cadd4a85a226683b7e33ad2e8dfd4

SHA256
aeb43a10d703ed119a7dd7be823f3cdff2d89f940938be0d4c4148e44c353a8f

SHA512
258674b4c0a21d6756beb9feeb4cfdb800a22579e710ebe20cc7900c55e64b492d94fb156240e4b85f8eca33b897ae8235d7fa08b843b347014d246368fb6f99

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
245KB

MD5
581b1803433e5c4b8a9e08bb7a462cfa

SHA1
c5d4557c7f0b854b76df397eb102a23c18f84bdd

SHA256
df9e7e33da0c5d37d634ab71e6727729eeb18cf1180efbaca826bfecf372ddb6

SHA512
2975909a1f40436dc55b21262987f183a58e8548a994592781f628c1a34f17320323a911d7a99aea7bfd9c7132c3173904e3c3ee8566789a74582271f53a9069

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
405KB

MD5
4e1c11d2d6827bcf51f377f08c9d7dfe

SHA1
3c2caac7812e293441d98d3896f865ddd3edba61

SHA256
34787f1e191d98979ae1eee7cba9202a79892da129659ed32da12ea94b4d0223

SHA512
fae5b7e208c9920f64b4331470ec3320b465fcfb3e79777c0108b3194e7e2d0d0cd57fa52122fd7f8d19822d51aac7171fc472eb5372908f256146be867351fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
312KB

MD5
0180f44b4ca5770a35ec8ae80d2f641a

SHA1
3616424c3717fc2b9f0243362a4abc1e29c8571a

SHA256
5fa46f55ee473f71dab229f1c5886a55d31230beafe5400736f0bfd321105057

SHA512
ee1fb24e7293c9d7aee8a780fff2ccb9f9224c3d3a952d7a9971f2c2f5103ee33699b757126c5109fa6c472064076d63fa545c742b1026c636f09174b0fd146d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
266KB

MD5
dfdd1cf68466355ac30ca4c0a1ce1b84

SHA1
494ddbeaa2b19523c13d9d7bab8959a1ca46cd71

SHA256
ea5933f08c07e825e09e97d92efc46c0e9bd32bd90c58d69c8b7e82e1baa3ab3

SHA512
c76cdc233d0823edbd7e03a0e8be25a25322b90a8096de6f2fc512b4d1176271ec1b10ceafe11440c99b8abed154f9e1527f4f7a28d714ba220322a437c822fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
223KB

MD5
e8bc417736bbdcf6bc2327a9424914e0

SHA1
898591276317a229dc9bd7c7683ee6ee81916420

SHA256
ddedc2de29322b64deb0399270ce5f1e4d130f22bed1aca71f0d43bbc1866a45

SHA512
88f5dc2781962ce9b3567c4b0affcdb23497e92c2227be6d9fde63578995ddba9b3ab0fdab12e5a0cb0264cc4f1629d626b50e5bc28fa9a4ad292e850ec307ca

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
119KB

MD5
ec08249f1e022c59fc59c4646e15d0d4

SHA1
ee1c2e7202ff3b2dbee282b96f2e44a68af572c3

SHA256
705fae014900d8276d6069962066d116d06a69b05654d5d7cb04e789e335c20b

SHA512
1d3803b5050cffdb45ace8f7ab4a1a549058a61c9cae80d238c37d928da05cf30d5054f6cab19ce05cf3972610999a4b25e742531f628cfe071d87a85a4c5fbc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
179KB

MD5
53741dd7ee4ae0870ea2e05aacd361fd

SHA1
79243fd0c5e1b4d5feb47e8bbfa2d8f2f630b6df

SHA256
e58b740cb2dd2aee53e237b78277db4330578e194b254989cdb45eef26363356

SHA512
26956156c40b8831ecd17661429680acb2bcad791c962c970501d7e0d8dc8fd38cdde5063fd7babed2eb13299f734d093503bc68bc988dc6547fef60617b5cb1

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
d25671f838273a0274dc3242b4f5cd30

SHA1
f4257849784221adbcd4331d69d2e8f98408f861

SHA256
b7b831ac1ee727a1fbf58d1e3a7ddf6744fabf7509401ed8c3c198b5e2138537

SHA512
a51a6c02764faec3f45a665992221d5927152f65f4fcc288837c8e828987e4b5e4b83f081c5374a41c5ed7152ac76344c2fedd96c836e4c10b7ea813a26317ad

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
51c077615727d56c025bef519707f720

SHA1
fbc4cdbc38137f186d6ecea20a9bec8490779266

SHA256
4b5c11061da4a62257a023b62bbe350e2b87e3d2866e0e94ea0d81f555445ccf

SHA512
ae91123bec181bf688dff4b7e353a536c9c08dc76e391c98c053040c909002d170dbc0b79c91c75e79cf35bed206fe7d15a69d41719e434e429ba9490b8cdfa7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1142679b034d13ff3cf65c8864199d02\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
1da114ee0455d4c49c25e74e4989242e

SHA1
34ef4854ca2d69d20ced5d1e19274ef51dfb5ce3

SHA256
66613e70c41914a1efcc6d0cd357a2f37a0a6ceda6e3015aa5bc56b414ded86f

SHA512
3baab7adaadfe1380f786a75b00fe1fa8be279541fa695f42908868e41a180877ade6106ab57842538140534572aa44bc1d45f7e5169d645044f0c8562377bce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\52e82456c2aa9de6b45ae11e08b032b9\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
14b7aeade7a966cf52fd507053c08eee

SHA1
694677a7d7bdb01d04aaa2664fd31d407d56f57a

SHA256
354707e507a6ed04fa70fe5af0d7b07a20b2cfba9977bc393792f324ad85bb1a

SHA512
72b8b1fe61ce2a9bd723515fb33bb36fff2ef793495423226a1d30f08c564643908cfcf7008a6a4fb8d03a6d23c95d273e822700b6df19c401a1a156046f3f5b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a68de2518d15bf1cb5848ae274e903b3\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
d2aff6f3ad9a8a68d36cf738221be6f3

SHA1
f42673aed317803b06c8670d84b83dbc667e0578

SHA256
e588b39120b455a58d966c259cd76f29b4165d42fd237b22dc848d3e705abea1

SHA512
bfeeedc607e45aa0f0f11cef8e08b8bdb64dd70defa2407e5c82cbaf597809769a0a595606be8b44e011560fcc8a8ca584f454fa8db4a44f6dd45f41d2852263

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b23120bd21019ec1a6cab930c0289077\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
e2bd53921c98abcc7b2cf24383563dd7

SHA1
d9fa1621fffcf5795d042d7a1ec991ae929fcaf1

SHA256
08a63a1b142ce849271a7ffffb826587af680fa8b194d0301963b7be6a710de5

SHA512
eebe58dea3d93e3da36f0c9566a4bc7a8228118301bdf5b57642558af469cab82d5b03f5c7319421e48f741b2dab7e0383bcfda490dcf84e0764213eb6602900

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.1MB

MD5
8f0c7cfd18ffbc444da07b173da4a924

SHA1
53c2198c4d4de67c18b1129d51de111a83e61a68

SHA256
ce10dfb17a0341c4a712e065a537c5bdff0ccb93c16839f589c5fa5347864a00

SHA512
b952e2474bdc4c61e6fd6c25c277a921b974ecadeab72b8b9a3d30a0977de3981ad58bf48bef307075a02ca1a435e38503abe5bfcf299f43e5e90f247a5d0b36

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
06732f4e0e009a57eefe2f6415e7e401

SHA1
51343a645823d9da8a72268c474fd324658dcd9e

SHA256
551f2f255c565c03d6efc242d6b69e38303d79635809739442d1b4de6e606ae9

SHA512
91337b12af0620e2e1af0c5fcdaffefcf723fbb3a6dcfdbe6df97ef8cba72c91ad0ec7b3c2138807633e51018ef5b45691466eb31e2eedd23a85cf3e74ba0b17

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
bc81f8b925315c0d8a43963ea8f21e2a

SHA1
2189349de510c6e3545f38a249d4cb06394c8805

SHA256
63fc203bc80c16311f14dbca2ad406a7cf28cbe3d232c913725e199a47363442

SHA512
b960ebe5fa64cda7fdffa99ccd5eb95fa8c8e9b488b839034e12c07dbb4273dee2b5c100633b4121d70c6a5c7fdf521526547d10545b9d40a8cac0aa5e7c4c4b

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
2679419b4870fe1e9135320f8ff5c632

SHA1
7e8f5f5042549b66a3435bb5ce71cf7d6c2a533e

SHA256
7a901e890453c774dfcc6d1436598c15c0b132cfec8735dd72b690a1e801b883

SHA512
0416357e33286c738748cfd825f0bca83634e51da539713d0e06015a9854d4a39c405a3c3ff4d4425d269cd40fc0afdd443fb449117eaec22791f33cf1d54ba2

Download Submit
memory/320-311-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/320-161-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/320-160-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/320-168-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/320-173-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/320-304-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/320-176-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/320-256-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/768-178-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/768-308-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/768-523-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/768-524-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/768-174-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/768-266-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/812-555-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/812-548-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/812-554-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/812-553-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/812-537-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/812-530-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/860-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/860-150-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/860-141-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/860-144-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/896-274-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/896-281-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/896-352-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1076-258-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1076-323-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1076-259-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1200-103-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/1200-121-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1200-97-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/1200-98-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1252-293-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1252-451-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1252-287-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2032-113-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2348-272-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-130-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2348-123-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-124-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2352-326-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2352-319-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2352-327-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2352-315-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2360-438-0x0000000074758000-0x000000007476D000-memory.dmp

Filesize
84KB

Download
memory/2360-525-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-526-0x0000000074758000-0x000000007476D000-memory.dmp

Filesize
84KB

Download
memory/2360-354-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2360-353-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/2360-351-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2368-347-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2368-349-0x0000000000500000-0x0000000000567000-memory.dmp

Filesize
412KB

Download
memory/2516-175-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2516-94-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2596-518-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2596-307-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2596-306-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2752-513-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2752-341-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

Filesize
9.6MB

Download
memory/2752-343-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2752-472-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2752-345-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

Filesize
9.6MB

Download
memory/2752-520-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp

Filesize
9.6MB

Download
memory/2968-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2968-253-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2968-0-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/2968-7-0x0000000001E60000-0x0000000001EC7000-memory.dmp

Filesize
412KB

Download
memory/2968-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2976-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2976-65-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2976-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2976-13-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3060-550-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/3060-552-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3060-551-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download