720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
Size

1.8MB
MD5

b04bf10382a78635486925f43c521400
SHA1

cc6d7c92abef67967a24816eb4b9d0038d1679a6
SHA256

720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20
SHA512

c6ebe3cdf99d96771d5c4834f044257b19febe6438bccbf695da414ad8727f62fbd284f34919f752a24329d5a9f4ac16bc2a40d3a43d3879970f50070ad64df0
SSDEEP

49152:tx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAwLYj+3WZUY5kq:tvbjVkjjCAzJLYjLH5h

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2524	alg.exe
2320	aspnet_state.exe
1228	mscorsvw.exe
2388	mscorsvw.exe
1056	mscorsvw.exe
2000	mscorsvw.exe
1416	ehRecvr.exe
964	ehsched.exe
820	elevation_service.exe
1640	dllhost.exe
2864	GROOVE.EXE
2172	maintenanceservice.exe
1800	OSE.EXE
1228	mscorsvw.exe
1608	OSPPSVC.EXE
2784	mscorsvw.exe
1504	mscorsvw.exe
1456	mscorsvw.exe
1580	mscorsvw.exe
2092	mscorsvw.exe
2136	mscorsvw.exe
2740	mscorsvw.exe
2748	mscorsvw.exe
1756	mscorsvw.exe
312	mscorsvw.exe
556	mscorsvw.exe
1464	mscorsvw.exe
2392	mscorsvw.exe
2844	mscorsvw.exe
1904	mscorsvw.exe
2348	mscorsvw.exe
2740	mscorsvw.exe
540	mscorsvw.exe
2352	mscorsvw.exe
1028	mscorsvw.exe
776	mscorsvw.exe
1716	mscorsvw.exe
2716	mscorsvw.exe
1544	mscorsvw.exe
1664	IEEtwCollector.exe
3044	msdtc.exe
2672	msiexec.exe
1636	perfhost.exe
2308	locator.exe
2716	snmptrap.exe
1776	vds.exe
976	vssvc.exe
2808	wbengine.exe
2028	WmiApSrv.exe
2624	wmpnetwk.exe
580	SearchIndexer.exe
2072	mscorsvw.exe
276	mscorsvw.exe
2288	mscorsvw.exe
1440	mscorsvw.exe
1504	mscorsvw.exe
996	mscorsvw.exe
2072	mscorsvw.exe
2008	mscorsvw.exe
1100	mscorsvw.exe
1396	mscorsvw.exe
2220	mscorsvw.exe
1588	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2672	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
780	Process not Found
1504	mscorsvw.exe
1504	mscorsvw.exe
2072	mscorsvw.exe
2072	mscorsvw.exe
1100	mscorsvw.exe
1100	mscorsvw.exe
2220	mscorsvw.exe
2220	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
652	mscorsvw.exe
652	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe
1228	mscorsvw.exe
1228	mscorsvw.exe
2012	mscorsvw.exe
2012	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
1940	mscorsvw.exe
1940	mscorsvw.exe
2012	mscorsvw.exe
2012	mscorsvw.exe
1756	mscorsvw.exe
1756	mscorsvw.exe
1440	mscorsvw.exe
1440	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e6daa4793d2ec148.bin	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_mr.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\GoogleUpdateOnDemand.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_sl.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_bg.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_hu.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\GoogleUpdateBroker.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM204.tmp\GoogleUpdateSetup.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\psmachine.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\GoogleUpdateCore.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_fil.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_th.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM204.tmp\goopdateres_da.dll	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCB99.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB68.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF95C.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3B4.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC449.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE74.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64DE2855-4DA9-44A9-B664-301E0A0F1531}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF2D7.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C4.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64DE2855-4DA9-44A9-B664-301E0A0F1531}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCF31.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC7F1.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7DD.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000406d8a7e1571da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2672	ehRec.exe
2320	aspnet_state.exe
2320	aspnet_state.exe
2320	aspnet_state.exe
2320	aspnet_state.exe
2320	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2856	720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: 33	1820	EhTray.exe
Token: SeIncBasePriorityPrivilege	1820	EhTray.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeDebugPrivilege	2672	ehRec.exe
Token: 33	1820	EhTray.exe
Token: SeIncBasePriorityPrivilege	1820	EhTray.exe
Token: SeDebugPrivilege	2524	alg.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2320	aspnet_state.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeBackupPrivilege	976	vssvc.exe
Token: SeRestorePrivilege	976	vssvc.exe
Token: SeAuditPrivilege	976	vssvc.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeBackupPrivilege	2808	wbengine.exe
Token: SeRestorePrivilege	2808	wbengine.exe
Token: SeSecurityPrivilege	2808	wbengine.exe
Token: SeDebugPrivilege	2320	aspnet_state.exe
Token: 33	2624	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2624	wmpnetwk.exe
Token: SeManageVolumePrivilege	580	SearchIndexer.exe
Token: 33	580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	580	SearchIndexer.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe
Token: SeShutdownPrivilege	1056	mscorsvw.exe
Token: SeShutdownPrivilege	2000	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1820	EhTray.exe
1820	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1820	EhTray.exe
1820	EhTray.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe
2732	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1228	1056	mscorsvw.exe	43
PID 1056 wrote to memory of 1228	1056	mscorsvw.exe	43
PID 1056 wrote to memory of 1228	1056	mscorsvw.exe	43
PID 1056 wrote to memory of 1228	1056	mscorsvw.exe	43
PID 1056 wrote to memory of 2784	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 2784	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 2784	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 2784	1056	mscorsvw.exe	45
PID 1056 wrote to memory of 1504	1056	mscorsvw.exe	46
PID 1056 wrote to memory of 1504	1056	mscorsvw.exe	46
PID 1056 wrote to memory of 1504	1056	mscorsvw.exe	46
PID 1056 wrote to memory of 1504	1056	mscorsvw.exe	46
PID 1056 wrote to memory of 1456	1056	mscorsvw.exe	47
PID 1056 wrote to memory of 1456	1056	mscorsvw.exe	47
PID 1056 wrote to memory of 1456	1056	mscorsvw.exe	47
PID 1056 wrote to memory of 1456	1056	mscorsvw.exe	47
PID 1056 wrote to memory of 1580	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 1580	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 1580	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 1580	1056	mscorsvw.exe	48
PID 1056 wrote to memory of 2092	1056	mscorsvw.exe	49
PID 1056 wrote to memory of 2092	1056	mscorsvw.exe	49
PID 1056 wrote to memory of 2092	1056	mscorsvw.exe	49
PID 1056 wrote to memory of 2092	1056	mscorsvw.exe	49
PID 1056 wrote to memory of 2136	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2136	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2136	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2136	1056	mscorsvw.exe	50
PID 1056 wrote to memory of 2740	1056	mscorsvw.exe	61
PID 1056 wrote to memory of 2740	1056	mscorsvw.exe	61
PID 1056 wrote to memory of 2740	1056	mscorsvw.exe	61
PID 1056 wrote to memory of 2740	1056	mscorsvw.exe	61
PID 1056 wrote to memory of 2748	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2748	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2748	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 2748	1056	mscorsvw.exe	52
PID 1056 wrote to memory of 1756	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 1756	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 1756	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 1756	1056	mscorsvw.exe	53
PID 1056 wrote to memory of 312	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 312	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 312	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 312	1056	mscorsvw.exe	54
PID 1056 wrote to memory of 556	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 556	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 556	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 556	1056	mscorsvw.exe	55
PID 1056 wrote to memory of 1464	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 1464	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 1464	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 1464	1056	mscorsvw.exe	56
PID 1056 wrote to memory of 2392	1056	mscorsvw.exe	57
PID 1056 wrote to memory of 2392	1056	mscorsvw.exe	57
PID 1056 wrote to memory of 2392	1056	mscorsvw.exe	57
PID 1056 wrote to memory of 2392	1056	mscorsvw.exe	57
PID 1056 wrote to memory of 2844	1056	mscorsvw.exe	58
PID 1056 wrote to memory of 2844	1056	mscorsvw.exe	58
PID 1056 wrote to memory of 2844	1056	mscorsvw.exe	58
PID 1056 wrote to memory of 2844	1056	mscorsvw.exe	58
PID 1056 wrote to memory of 1904	1056	mscorsvw.exe	59
PID 1056 wrote to memory of 1904	1056	mscorsvw.exe	59
PID 1056 wrote to memory of 1904	1056	mscorsvw.exe	59
PID 1056 wrote to memory of 1904	1056	mscorsvw.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe
"C:\Users\Admin\AppData\Local\Temp\720f54a145afbc4cd1df0386e6c931c3aa4792dfb005144ed4986977cb955c20.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1228

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d0 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d0 -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 27c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 284 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 278 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 284 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 238 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 238 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 250 -NGENProcess 2a4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 250 -NGENProcess 2a8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 22c -NGENProcess 21c -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1e8 -NGENProcess 1ec -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 1d0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1e8 -NGENProcess 24c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 248 -NGENProcess 1d0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 254 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 1c0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 220 -NGENProcess 2b8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 220 -NGENProcess 23c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1cc -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1cc -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 2bc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 294 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1c0 -NGENProcess 2a8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 1cc -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 238 -NGENProcess 258 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1cc -NGENProcess 2c8 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1cc -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 238 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2a0 -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1cc -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 29c -NGENProcess 2e0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2dc -NGENProcess 2e8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2e4 -NGENProcess 2a0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c8 -NGENProcess 2f8 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2a0 -NGENProcess 300 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2fc -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 304 -NGENProcess 310 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e0 -NGENProcess 314 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 30c -NGENProcess 318 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 2a0 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 324 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2fc -NGENProcess 2e0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2fc -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2fc -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2fc -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2fc -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 34c -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 34c -NGENProcess 2fc -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 344 -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2a0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1544

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1416

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:964

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:820

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1640

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2172

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1800

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
454KB

MD5
b05c9cf4e236cc82cb86d35e2e31904f

SHA1
958d82663079ae0a5d943a66b12a0ade31e3cd35

SHA256
8906d0f13df61b25225f8348232d34d73a42ee02be288fc13cf330d65f4bffd1

SHA512
5ce62c9369926cc0c128437305626fef29c3057c6c30579c9846b2568dd1f3414a87af13aaa2c7832bf97eab1234d21a8b2ed25a948a3f3973269d040aa632b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.2MB

MD5
78c01523229f416bfebd3d83d5f482d5

SHA1
e25f376ae7c623bde6ec213fa87b098bef7c8ae8

SHA256
22c7b8adbc39180066750e3c9863e10c7f426fa4e6e0aa28a4d55c092bf35429

SHA512
4ab769e09e4fd3b3aca9ab57cb572d6e394e2260ae4fd802b4a815c21362187951481dd47a31199a3567e277c3d70d3377f454f161832f1a4fa58543c73bfcc6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
732KB

MD5
44afd839089b06f63cee541f79024100

SHA1
4333345372b6d3d4947b5db51853c7b9046c7cf6

SHA256
c740f7a60f1ddc225d6ba4a6173ec00aeb1140afd83c093362d10b2735d16cdc

SHA512
085b5a2bcbd8defb127f7353f528f8f08061a229e2f6dcf372fa33cac76f14eab7f23be7405f7a930dca1b982ab016b777e110c5f072c39412d15a405fcb96b0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
163765b1ff57b81c7d5b52cc6e3869a5

SHA1
f038d471d45d3f8e4c0b1a11320ec321efa91f0a

SHA256
1798909537a2eba7f79d4e3aeee1250489e3cc10dbd8a031507c25977df17bfc

SHA512
f428d47f54bb05120dff725d5cf8fe4a5f8d559280c91955475a218d168938356853d239429da7327cb2f053c81f9e9f26fc88a1bae10323d80bca6d67ca1ab8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
80KB

MD5
284516cfeebba738e3b3c82d397c38a3

SHA1
e5b5eaeeaf71b3aa55d2fc45890d283a97daa518

SHA256
7fb190a4e8e3ece48c1f5d7d57cc799e001a6c362b7c15dd9b168e365011acf6

SHA512
b3fc258c155cc4c062ea755901054e141442f86978edded851b2c67cba50043f562bcd25e7348a611abe42dec042140554f8f9052d71612b5b610ddb1a8829ca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.7MB

MD5
0b5fc33fb4c30767763b326900e3f2a4

SHA1
b612211f8dcc1c78ce1923c621609310a204b232

SHA256
a2a620f0ed0dacff2f71820be6fe6f33d0cfd133cf6306bfb2fa6d61b7ba67d0

SHA512
1471c9d08d64c144b4a8cbd21be587fb4843adaa4eebfc6efbe074c268651972e22566a11499433c4e3fb726bda2bb271fd0714f1d5938796ef0be1ef2d3d003

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
120KB

MD5
85a9bc0bdd76a717b5016d810eb49d04

SHA1
e09d7a26f2c73743a8c8610af367b341b2f1ed98

SHA256
aa8c3a6c17002514eab4160cd5b475c28474714eb06468eee2ea5d670fbc00fb

SHA512
f511c4558d1761f49387604df4d0872004170bb0a677334d38553e7026a0fdb7532d39721095d542173881e3a42ace16149fa3b724a974762704ad460781ad3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
623KB

MD5
09242b0cf1a26476af3662df07a9df44

SHA1
9ab823dc0d453f84c9f311eca4f3c4fd4ef289d6

SHA256
df211b0013469a88776abdc40ffb1551fc7e883c16e6e45f53e466f0a9eb7821

SHA512
1d6a4d9daa3b72cebc805a8edb1deb6618071871bbefeb09036cfffd24f871cbaed9698c34f6dcd23e15bdb16bb4f4a485d8a628e9beba585de9c13e6d8c579b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
825KB

MD5
72274b25af6d95f59696c7293312544e

SHA1
2f3c60420ce7c964b068591014f357d715c59b88

SHA256
ba9e774d41d1ef3e14591da490705d9782403d89b00e1ce9aca93249db416f7f

SHA512
4f1fa40b89a80bccaee3a3af0dd38c91c031dc494778510ddc2854b7ba2ee997f4610ffb50b7c21d489c74616b71802cbd7fb1a8c6d2558274181339de64033e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
246KB

MD5
20c6a645178c153616b2b958bab2149c

SHA1
1e2dfe78a89b0780469257a320de68e15f4d4a95

SHA256
2034e047b6c79d4b612f77accbcf12bb67abffbec652fd6987504818b297d460

SHA512
52e1c868dc211d88b2b552e525a3ed6b11f3d6102966e6b4a1940e269c01b0ab1760850601cd65e15b604d6e326de7d4aaf453a26874cd657352a05e41daa1bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
342KB

MD5
909b8d3af7e6f5781dd2101742e03a89

SHA1
024fcb2edf5ec330503c6b207ebfa9f1ab383491

SHA256
13a99229037b2252fab7f1a37e1b7f06e19304302186e85771d77f1d82544608

SHA512
c417235a47aa7e6a77411b705ace944d5d13615565ab4d9bdd1f6fefbba3e5af7ec9260942a0afbcb4fd18c7de6fba1e6658b34c378f5ac82aba2f45932117e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
450KB

MD5
d9a4700bddedb05c9625b1d21302910f

SHA1
478ac0dbe723b70705af9bf6e55d8eeec3ae207d

SHA256
feeaaacdfe48812c8608ff3799d91a78f1c5fa54ff3d34fe75cb0d87d6f8db93

SHA512
07c09bdecd5a1c96d80af0a5afb8baa079e7252572100da4bf921c42b2c8061078809461e5d14dd5247ae2fd97396053fdcaaf0b99fe1263f20b1872e3d17da9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
42f03e94bbb3d848e711f55ca8c729f1

SHA1
f04a9a7aa2fd142fcaccef2686d6c1fe8e7cc1c1

SHA256
4a442b4b3e65514d1c8392173ccb85faff73071c9df3769dc6aea95916b789b5

SHA512
8cc5088e71a4ddfdf2a81915d21e333ee43ba60863f54d7903478aa65c3860794ff523e7743a257b6d545bd1c6ccdf5bc32817a72a6ad9dfb764e9302d34ab61

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
370KB

MD5
b8ebc0caf7a1f5831adf9e4f69ae7775

SHA1
2d238117d1c2b80c444fa719d90c2da04be222b6

SHA256
fd4b91a35881d12cd2a6b76ae584bbc69d0a375ebd5098484b89118847b765d0

SHA512
cdfa7795943593e4290998ec144f9e22c40f43ce062c794e2a5c93f9cdb1e8b354b39b01166f8dde6858f450542148ce6eeb84495dc5220877fd1e6c32bc215d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
192KB

MD5
1e31fe4623905a7ac54d5af1ef1ed944

SHA1
2536bd970c523af356e1fe593ce2ffe5966f8566

SHA256
97155e59310f11107f3775d2acb98802413a99d1090b3e62ded4c221e22555fe

SHA512
72256995829236bdf82ff17ac7ea0440750f8dce65017593a7ac5d960db50832a84c9ff2d8fe2b0181fa2378f9dcbe5d970aa90bf24e7c4a1d132d41937ce919

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
85KB

MD5
3b5e59e918b22d725b740788bf5d8e4e

SHA1
1dc1f191611623ad78b0c7ae82148856e3f96a81

SHA256
70010f8655d47f9a956a279c8ca9ffb7e24bc54acb40fecd015e53148f792aaa

SHA512
ab26f07db3a84d913a61084eae30f8bdefd13f6636fb2115fef5c69454ec9dbe8275896b54cfdb4b386cccd192bcb89ca2df23e16eaf1211f346613412f21756

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
551KB

MD5
f82db4ff5cba18c55888e5b27dc51666

SHA1
e72cf5c3ef466c48e4c1a63d371b4a47c2fba4cd

SHA256
f3e646afe1946d32cb8ca12be6b844964e0d3114f097249edf9b2588ba3de4e4

SHA512
cbe619b8d873e0216b9e42e8395926aab1bfd879c07ffaf463e172e497b95d82bfe55096f35f09aa46b77a771fde5a18c1118703a1c982b85d542c57ce281127

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
692KB

MD5
fee429005abcf5e9ec0fa43d27c1e099

SHA1
c370bfc4f7d7e4b8ee39f21cc6c227759ecde6f7

SHA256
f4a542aee37b861ca14388aed406342e609db5a4325c6c943f97609ebe9344d4

SHA512
1ef60685db10fd4013998f9e7e02d3125ac88613194fd76b5e568ab6bc3fd0ea37820131f701de99d3a7bef407308e475983c58a1155afe0a9fdff6c37bf1bf7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
273KB

MD5
e61ca9b427dab6fcf46419fe46239026

SHA1
478d67ee08305ea499279cbea2bda77601bf1d42

SHA256
d1c27e39248c0609041fdc2ebc8e68a8a08f868b25c29c88321be601908a9318

SHA512
04c9c904c8dbdda2d0d8aa20cca2ecbb698b2d2cc4d80a5d40f4757039232d731ad6e16c314c29b9d573bc1758a7742f81dfd87862c438b60bf7616282146dfd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
405KB

MD5
684e9f73f85e1c4cd98a67bb8d597f9c

SHA1
d075e1adfb3e318d2faafe894941354d74ff6558

SHA256
96e02ab4cf2aed3b3dba62b960a8f710bb677108b96d5f6e52a8fa89fa70acaa

SHA512
200b1b6ebd39430216e050909c44ba003d68177fb0d4d0e70ca1c357b073da6aa10f5455450ee0a3f2eff8cd49881aec10067689ee63b99bd67135036b65a1a0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
903KB

MD5
77fce907431bebce2a24d6d44fe5c13f

SHA1
fd6ed9ab0f99b94d767bb3c1bae854de40261a79

SHA256
99ab55cb14342ac5a83550449393a6a88c201851698b20c8f8d5ce6878d9d0a5

SHA512
416fe6d233bbfe0c0a672352b4f37620c454f87e40503350ece4258cbe1489f589743d562f7207632e0f035fa2cd63935a8f6a79bcd1368e63b302b1c5368f64

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
182KB

MD5
0342ca16a8812cc340d1277d32d21aed

SHA1
0a8e848b7eabc93686fcf7e803bf8c86fdc3c5c3

SHA256
a13a9535e7bbb9d0549ff194d0189d6760c64358aa2dad403ffe914d2b2ae431

SHA512
c7ae135f44c6e42c1e1f167c747e2d43d9c6d4f558d9310021c47308ca59a74098873d3806b2f5bb177eb055b7254d31e0c43bd98048a4f1b44bc65f0330839a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
83KB

MD5
50811598918bd03701eb156818a7fbc2

SHA1
34ced97f401f869d75bd13de765251568e8e9550

SHA256
299f53d84a4b7e5674b18ac3e5de6732bc9b2da320628c88b8f6701fc87507ef

SHA512
b98b7211b9186ccd5b2e36b77c9ebda0476ecb2bf2236008c141c9920d7132b3aba6e595960e82a8614c9cca3b41067056c8cbb5dd60cc23438f58b1ccccf8ad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
739KB

MD5
3997dfcee2921c7f530d0aaf58a12d63

SHA1
c6914c0de42009628c32f6e6a4407601eeca86f2

SHA256
190088a5a1ea82c6923bf618e431caa01e44c8c4ba647f1f05422656e6eaf4c0

SHA512
bed2c77b5d8e02c330a8bcd27541f6559edb1755a5a0a51180dfe5c56bc4e524ff550176e0916bf0476a68c9b567539233f6507222c782ee85303d03fe5e6bb4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
96f6291492b64e2cabc0b41624cd1460

SHA1
2aaac45d7c9500a4a1ec5c557075dff1f5ca1261

SHA256
54258168d463f45d73fdadaf3066806a597c505aef819b587026497c445cf7d5

SHA512
1d133bb6b4562307cd708e05e8bb84422e459fe39d5b474b54402eccd13fc194dad2dcd37de849ff6ad48cdeca4070a39902b33849dde629aa9aff6e71daa08c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
749KB

MD5
aaa5781524dcdcc4d2641af0370d0caf

SHA1
70a1bda274796dc360c22570e060d0f5438c0f85

SHA256
6b25fe859e9f7515a31c8174fb693bf4d04042b687d7ec0e3929a07e2cd9b09f

SHA512
c0bf56342640ef5cd830b4e2fc75ae7da07b481e4aaef23ed6c018aba05da77303de0c86a25517b5129bba16c22bbd78de490cc088b8c093aaae90994760afe4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
134KB

MD5
15fb07c51764949cfe2dd6dd25475f7b

SHA1
b3dbf25a4e8615ab3a59adfd84befc2c82115c29

SHA256
305551b65a665c20239a55c8dc42c621dfaff5c8c9ec88df987b81a23d53d67a

SHA512
3c8cc8fbe837d0909b4d02af0d59e4e50c73699f78968f6e6bb8af7fc04c274671b3d5f551ae60f669a1f5e0e9dab314b4e4482b8aacbef99ab1275983b2c7ef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
8fa8886771659bc317d38f60b86b805c

SHA1
75f95105ea5ab5c2179ae346243003e755fa1155

SHA256
1b7d5f2706c9720901a779c2aec9f81e12e4afd23074e1da55ffdac487806a0e

SHA512
27b4420f0defd8117c9dd631609f5d7bd794c03c2eea010c9c40bf2fb81753d1800fabfde32c0e3a517a8568082dbcc8a331375675b534e169b02fa5db6c6b47

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
638KB

MD5
72302ad68bce0f364cb57c9ee3738c92

SHA1
f2f6320c62a227e37fd551efadc36c40e7ec83dd

SHA256
ea6b49c3a749a9b039c909a80d774638d62e310f980ff98bb19928f603aba196

SHA512
313ce78a590f65dd3a3091214c2b7b144909f4d1d4bdf82b0a7c81766a9e3d810ff41b4158b5aa6deb1ba7a47ef5d655d80d6c0c4244584c0ad916fabb34f8c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
622KB

MD5
edc70c50554fe4c0d1f954a9215971b5

SHA1
2f587939d5fc46cff60791829d7c21a52d81163f

SHA256
92abcb8bf75f67afad3d665aea431ef8f74cb452184c342f11b9e6f2e8e67358

SHA512
28aa15e8fd04af8bc30f6c0591070aea31fb22531147c965241661f3209c6ca2c9bb7d9e53f8ab03c9a23335f705461d8754e275045f4c3be14631044d92956e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
696KB

MD5
b77a0d9963e3d1259a98c247ad617048

SHA1
ee06d4dae0d26992c04e8554437428f6547f5910

SHA256
29cf06ffa8cc73860706b7ebcbe6060006a2a6be74de6e794d13a83dc3223cc5

SHA512
3380768166bb9cdb1c83537ba185890eadd0bfca66284f8f43c4660fff5028511888b66daba491b3f1056e4eefee7fea43f3ce262f7177ef56c4f3a9849f94fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
64KB

MD5
c8f0c8f33993cc07c17665df3ffb7ae3

SHA1
739860cdff4260fd1585ca4087dba976b4b14186

SHA256
b7644a9237a55d9e79059ff6034df04b15b454766a37882d55d93f8cc648c01c

SHA512
5c2f35f45c193a6479814bc8684b8fb1f802d48a4f0b11cf103766bc8693581fd56209c14f61af2b88c9939f5557cb6516cdc08ff091acde5792d71a29e9df89

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
256KB

MD5
498f8b87095e10d607486231ccbcec84

SHA1
fe66461d14cc92c210af0e490fbf4f58d5760cdc

SHA256
dd94f233b180f173fadcea0c04aaa3350c2e932a245b35ecc921c1e9c62b3cd0

SHA512
be1145ec91528ef3c4ccfcb94815d21b4e84ca00de4e659c6736f74528a597815c40fe86832924b8decc5c1407753f510e10bf1db291d9fd3b1c2f4e4a50a54e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
768KB

MD5
5e85aff330429ce339a3ba5c3c94e8ab

SHA1
6c7b8319ab0f641ed97f9f986eab6cfd46b1c234

SHA256
b30af4d5d7426246b9547bdbeb599d534a7dab41aa331de9bcade7efea301aa0

SHA512
db9ed71917928bc39431a752073cbdd88d920b2229921d381419b1c245c60f8f233e7d45d231b1a4c95d561536827943c298cae7335a57a4a1509827c2f61598

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
781KB

MD5
30c983c2d671b3e56d0d54dd49959e23

SHA1
d59e2d3d7f23d1a64c9af0e9ec59811b7d0cd5d8

SHA256
b0f20932b7a7c1792558ad582514763fca0bbd3ab58db5a859f04d2160a7d607

SHA512
d599319a58f129af4e1b0518ab01056108f879f2e31973be4034f21f7ec7efa787ff4b06784464104caa6a22918220c05bcff94a6d18fdc2e7f99381868ea3ec

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
d883d9e04698bb26a1687c1ea74db514

SHA1
5b6d736fff9733f192113e67e777acc501e34d6d

SHA256
994e817a76f0105ad15d32c56d6f056b8dcebd62bd2ad2b8116cf8866dff2f4d

SHA512
33a0e822f0e591891bb6bed03b94d935f9a9a4a783509ab770aa79741ef24f7dc2c93292d69c45cf7e0b6927c7e41116bb74ba456e2cb8fd47c1a41d5abe65d5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
305KB

MD5
5217287ba8beff03e2a1775161466665

SHA1
43b1f0be593c40c379da4c58e69ec63ec400827b

SHA256
ca6af9d0cc18a4f84d87bb9527db360b7176953e03ad938c7500365400f430d6

SHA512
f93aec815ee8e1cedf760275be423de11f0c388347cb7c3d7653a2622d5689610049e232aa4e06aa8990605396ab92ac86be9d2b9fb4c93443aadb1bc65f8ba7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
174d0aba2fa8ff1e7eec7d47f637ca5d

SHA1
55ba67c27401b178c770722050e6d0bf0554818c

SHA256
634dcc6e576a1dec6c8a70a6324a55ce7265a1e5ce59b355391b33c42eeeb8bf

SHA512
808d801db1cbf1b87eda412417470dbd5c7e7d9d3c4f246196f25d9e5ffa2082ca19c84bc51e52c4eb197b066a921be5575a9a032478d03e34e4db88e35005b9

Download Submit
C:\Windows\System32\alg.exe

Filesize
413KB

MD5
d325d5e8126b2c29c10aa1f2b615df90

SHA1
d5976f3c31d236d6444a91f05783fc29b40f6e46

SHA256
33fa26cd873542fcc3aa5117bfab68db42b1b236654098d3c8173676adeac57a

SHA512
b846f4ccb96848db0689b6cedc0418f7a35efe49ade75c5fa04982f6dcc528d4f7e606b9b987e2a281bb42b03df80fdfd434e2dde720f2f7e3f1b5079867a944

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
65KB

MD5
7c6bad2369e0ce011458dd3766f964b7

SHA1
cd7b678486b40498e0e9b0fa0f7b4a0e67b36bbc

SHA256
0bd3e1d154ba3125c6c93d46a4396c83fe30dfed77e82881fa0095c2d51b4df9

SHA512
416c12d225972d59b1981d96c11636d3d1a78f61a9b530afb42da8d2bf7b59ab0898b21cf539830de6cd68eed0de056d35beb0dc7afc9e108a52697d3856ee09

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
61ce98050ecd5447a14868ab21a46068

SHA1
581982c3be96da7c72282544d807fcdf55ad0a36

SHA256
0be88e0d1819a881947ee87733e726f16e2018c5cade9c8ef62050f5a0abf210

SHA512
c580c68b405879f1d4fb912d73f94aefc026981e4452927ef41e671871301722fe4161298b03ab39727208627681a7f687c904a7fb8d3b9b8984bf9c47eeaf5c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4fb996fab75de6c2df0732a353e22b1f

SHA1
78f5c24c6f226611974ac64b1890161ebf8288fd

SHA256
24c374d7eded31207a2d2318cd3e698ae6a8b5e4823c0f4621d1de32c28a1275

SHA512
d33e679c834175091ce6aadffc7c25ccc8aeb8f20f449ae5d17dac168718d0cacb1f1ff87c6ddd8dc89d55956f31e5393b2b0d8e767fe4a2e0077674e8e98b8c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\524df9f08d2e58ff1a424e81659ebb87\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
228fa86bb229beed784f29dee339101d

SHA1
ecaef8b315db2217f06fed05d8d875e67698e681

SHA256
103b7368643333b8c1af5668ccb5d97ae37f50abae766e85bc1627bab2378789

SHA512
9b0551404c47832def070cb218304d718e711e6f625b072836c34817320ea55ae9618b862e09a358a2970e79eec653c5497349450584c507ce58f4cec504b079

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9309329c0493b86876098d71cd260e6e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
56638cf33584fb38425ebf068dada583

SHA1
fc215d95a41e3b508967647fcba7ea50e643c083

SHA256
0f65e2f673f781b56e681cf2cab6a7f5d34ca501d116c146fc6a06e3cf4ef46c

SHA512
64ed094dcdccfc31e15be9878a6531b6e6436ddf2babc740e3e7cb092df98d1fdbbecafe94cc7922bf57601f65eafbf66aef9a196e4d0cb47ca952e5629c1e71

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c5945506bd54a381dbdc53974125e92a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
1cfd5a35edda97f12b08c391eb8c06dd

SHA1
89b713cebd0c93a4f60abc154d861f398e6faa10

SHA256
bac6583b3be98aa26ef8c070d507a4729aa5015ea29a92dad20f194e07470662

SHA512
39ce6accb62ebc585bfe034ae5af947e0bba934db0ef68b042f6723ed947009eceb0921f18c264af896067f233896a159ef5727eb368c83cfa5846b752320756

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
e83bcee70e9bc2ee7a9af6d00c58428b

SHA1
5160296d6fa1e708250e6def770bf1f0a9bd0ee4

SHA256
423c647b990ee54d5e8edb30a74cd0fc410d51bbc4deab33b7d814c0ec27c4b1

SHA512
5e7c9a904b6251f51cf08d6892c68fecaf2cb0cee3b4ef38d43ba8a1d905a4288f3281027b6f8f1a9b1248f157acb7d9805891e4690f85e1cd60e037a4f87b58

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
578KB

MD5
680a9a8c2ccf3d41f09a54c04698da00

SHA1
8496fdc7835d334c59ed6674bef33dc2a8708b73

SHA256
fc9457aae759bdbdf0daf7becc8fd49b178fac850022fa5b82ab9654b68a5f4c

SHA512
02fbd760d2014c6212982ab4ea3cd077517cfd4e4c6e3b5fe01a6992162a77c8a617e8a517a70598c688dcf550409497919c357966945fb7c9c5a71e1cb2f574

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
76c7ceb5f01e621f0d80e0aed897b05c

SHA1
9524aff5d739cbaa24eae3f469838554fb0ad573

SHA256
48c87b3791ae908c303f54bb1fd0d08c05a873973abb323a5d120227fae6f23c

SHA512
03a43db1847fa42ae5d9deef24429574cf855c958ba9b781de38a6dd15df7befd4518ba2bda83261200367b905a94c69b2b13c682251fb4925d9c5b13ccdcd54

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
885c61252a1506b6c7e8b8ebda76db80

SHA1
f2b2d37c65dcdd8f2741a3d96c47bfe98664afe1

SHA256
9a3022bc5e7eaf3084e05d02c90bf273af60201e036448757f25c55cd2f82ed8

SHA512
2cfea355de4db3843fdd5fad084449cdd5604cfe8ed95b5d96ab47368ab449996968254321026310d5a8d4a3d5977781963680345bf125ea90f06aab18e68bd9

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
80693a026a2d1093d9df6b5f4d30e480

SHA1
2597691bda0d6e1216cd31e4d016003a468485a5

SHA256
c8bccc50c3d88fd1a0b0919b9ad9c6bf33b54f29681ffbedeb8e54c6844d4b2d

SHA512
64f3ed845d90822ce365fa6778c96c38264299accb59b1d973169d74c5ecbfe69153cb7ac4c043273a3da3d43643a054511ca5bf6f3defc47993e3aff0b3970d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
2a78873bb9e5fa2f8951207f7401cb77

SHA1
86098f43f9990c7d5e4a493dd9795fbdf6a26fc5

SHA256
a9654842e5b52eadb9cef5b145bc90cb82aff88e0c80adfc5cdfdcff67b19128

SHA512
c7b7518aea647a7671c5658e3fd6e24b7e545d74541e7aab6e372ba4269b998abba85198c03de0860925d1d9810bf7efd8db9ab51ed54971825eec9832756078

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
337KB

MD5
875f3a989efd7511aaec0e4ce996e645

SHA1
b28a033964156a25efc719ddb242a460450958da

SHA256
dcdbd9cc1c83eaaedc863d2e93ab8111bfb68d1c99831cb8fef17ea376910eaa

SHA512
8cabd7cd9ba5fb16d2d5c51af8f61c142d41b5a9266bc9c88af23c72cd525e26886340eedae51463cc25df9c42f91413b0b68bc334eed96c9609a1d0b0953513

Download Submit
\Windows\System32\alg.exe

Filesize
407KB

MD5
abdb8a273d1cb9f65449a9f604378391

SHA1
7f7773ca31ddb6d9a308cca4559f050f3ad5b37f

SHA256
0941c0f135263db13181c23be0813fab04dbc1534741ed0bc19ac31f0b473742

SHA512
dd4481d27b3592a621b65a8b3571e82f2fac8a40802a67a80d746c7d7d2ed22188558fadd4e4eaa9ecc81520b6cf84edc2055d8d8dc4f0daf2ad6be90342019d

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
4460e1ee3a292e087841aa4b124a5939

SHA1
17749a3d0f33e2c9e44ebaaf9717afa683b59549

SHA256
ce86e2c79702c0407268b31a850cc8874d6edc398f92ab6ea2c9038dd8514d93

SHA512
456bcb686745044c97d360073e7c42b7b3c1a278de456b6c747bde45aae8ce6fc3a60724a7aa0a09628e111aaaef6f834171fb145a8989c8119c23f57840dde7

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
0fa205bd30fec9545b629252115dae7f

SHA1
2647964cfdeb5e606223bd21205b268c848cb98c

SHA256
9595685905b69119f5e6b23cd6577276a99b37ebd760d03e0a0573e0cfe56b81

SHA512
a221cd63ccc7b6d54de816e01ffe2450f0d17c378cb20c699b0453425decf15d4d77e6b40a916dab7e317b74a2c72a31624c63560a1bc7f521e024f90d3c514b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
342KB

MD5
50272bbc4ab86ed2d5befea947c725cf

SHA1
bda5c3597c2cb6be28a8959b9ec5a0a12a6ff2b5

SHA256
2dddcc353d7c398881d861050c6c84f6d69f00f22f7d55b03b1902b683d36068

SHA512
6c8dcd9d10f732eb398bf8d9f1603ff3153ea089b771d066ae2ed5fe830ac2b9f038b8ab754d0f3a0585fdf84b9c380481c57d88018d542c4b5663e09788698e

Download Submit
memory/820-289-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/820-208-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/820-357-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/964-326-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/964-201-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/964-191-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1056-143-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1056-144-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1056-215-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1056-149-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1228-403-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1228-355-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1228-106-0x0000000000480000-0x00000000004E6000-memory.dmp

Filesize
408KB

Download
memory/1228-111-0x0000000000480000-0x00000000004E6000-memory.dmp

Filesize
408KB

Download
memory/1228-408-0x0000000072620000-0x0000000072D0E000-memory.dmp

Filesize
6.9MB

Download
memory/1228-385-0x0000000072620000-0x0000000072D0E000-memory.dmp

Filesize
6.9MB

Download
memory/1228-366-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1228-105-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/1228-140-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/1416-204-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1416-178-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1416-186-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1416-345-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1416-317-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1416-181-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1504-497-0x0000000000B50000-0x0000000000BB6000-memory.dmp

Filesize
408KB

Download
memory/1504-501-0x0000000072620000-0x0000000072D0E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-391-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1608-370-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1608-393-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/1608-446-0x00000000739A8000-0x00000000739BD000-memory.dmp

Filesize
84KB

Download
memory/1608-541-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1608-526-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1640-302-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1640-301-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1640-362-0x0000000100000000-0x0000000100141000-memory.dmp

Filesize
1.3MB

Download
memory/1800-349-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/1800-488-0x000000002E000000-0x000000002E161000-memory.dmp

Filesize
1.4MB

Download
memory/1800-364-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/2000-163-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2000-168-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2000-304-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2000-159-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2172-335-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2172-342-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2172-328-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2172-341-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2320-101-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/2320-95-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/2320-94-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2320-179-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2388-122-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2388-128-0x0000000000340000-0x00000000003A0000-memory.dmp

Filesize
384KB

Download
memory/2388-154-0x0000000010000000-0x0000000010153000-memory.dmp

Filesize
1.3MB

Download
memory/2388-121-0x0000000000340000-0x00000000003A0000-memory.dmp

Filesize
384KB

Download
memory/2524-58-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2524-12-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2524-29-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2524-162-0x0000000100000000-0x0000000100150000-memory.dmp

Filesize
1.3MB

Download
memory/2672-307-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-309-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-490-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2672-305-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2672-351-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2672-373-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2672-375-0x000007FEF4310000-0x000007FEF4CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2784-413-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/2784-498-0x0000000072620000-0x0000000072D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-492-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2784-434-0x0000000072620000-0x0000000072D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-6-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2856-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-291-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-0-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/2864-399-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2864-315-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2864-319-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download