1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
Size

1.8MB
MD5

8f73e545d5aa9563e3d9757d8dd28093
SHA1

def75d4eeb7356121f00267292e3fbe98d4ce6c7
SHA256

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f
SHA512

e7fc4d188cf7a7611e795318c8ab8761c318d56183e3e90c92e405de853fed011d9bdab8c93758465fdfb873a21dd91ee91fbc86bbc857a5a2d6dd3b4b4e83b1
SSDEEP

49152:YR4ck+b5kMJB7BBcJE+Q0OFvfClxg0YELRDmg27RnWGj:Z+VDJBdGJEaOFGAEFD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
484
2236	alg.exe
2756	aspnet_state.exe
2900	mscorsvw.exe
2764	mscorsvw.exe
2016	mscorsvw.exe
1932	mscorsvw.exe
1608	ehRecvr.exe
2256	ehsched.exe
1620	elevation_service.exe
452	IEEtwCollector.exe
1348	GROOVE.EXE
1808	maintenanceservice.exe
2056	msdtc.exe
2176	msiexec.exe
2540	OSE.EXE
2816	OSPPSVC.EXE
2472	perfhost.exe
2456	locator.exe
2892	snmptrap.exe
2684	vds.exe
2680	vssvc.exe
1988	wbengine.exe
1668	WmiApSrv.exe
2216	wmpnetwk.exe
1928	SearchIndexer.exe
1480	dllhost.exe
764	mscorsvw.exe
2564	mscorsvw.exe
2668	mscorsvw.exe
2364	mscorsvw.exe
2672	mscorsvw.exe
1352	mscorsvw.exe
1456	mscorsvw.exe
2184	mscorsvw.exe
2204	mscorsvw.exe
2612	mscorsvw.exe
320	mscorsvw.exe
2656	mscorsvw.exe
1540	mscorsvw.exe
2404	mscorsvw.exe
1796	mscorsvw.exe
2972	mscorsvw.exe
1392	mscorsvw.exe
1924	mscorsvw.exe
2360	mscorsvw.exe
2648	mscorsvw.exe
1496	mscorsvw.exe
1200	mscorsvw.exe
1536	mscorsvw.exe
1392	mscorsvw.exe
2448	mscorsvw.exe
2032	mscorsvw.exe
2024	mscorsvw.exe
452	mscorsvw.exe
688	mscorsvw.exe
580	mscorsvw.exe
2772	mscorsvw.exe
2308	mscorsvw.exe
1588	mscorsvw.exe
1052	mscorsvw.exe
2112	mscorsvw.exe
1672	mscorsvw.exe
2548	mscorsvw.exe

Loads dropped DLL 64 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
484
484
484
484
484
484
484
2176	msiexec.exe
484
484
484
484
484
752
484
580	mscorsvw.exe
580	mscorsvw.exe
2308	mscorsvw.exe
2308	mscorsvw.exe
1052	mscorsvw.exe
1052	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe
2744	mscorsvw.exe
2744	mscorsvw.exe
328	mscorsvw.exe
328	mscorsvw.exe
1304	mscorsvw.exe
1304	mscorsvw.exe
688	mscorsvw.exe
688	mscorsvw.exe
480	mscorsvw.exe
480	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
336	mscorsvw.exe
336	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
1488	mscorsvw.exe
1488	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe
2180	mscorsvw.exe
2180	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
380	mscorsvw.exe
380	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
452	mscorsvw.exe
452	mscorsvw.exe
1808	mscorsvw.exe
1808	mscorsvw.exe
2424	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exeGROOVE.EXEelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\176f10bc78a61a12.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\locator.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\vds.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

Processes:

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exemscorsvw.exeGROOVE.EXEelevation_service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\goopdateres_sr.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\GoogleUpdateBroker.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\goopdateres_et.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\goopdateres_am.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\goopdateres_bn.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\goopdateres_da.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1094.tmp\goopdateres_hr.dll	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemsdtc.exeGROOVE.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	GROOVE.EXE
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index164.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9AB9.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58F9.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FCA94482-587D-44C1-8409-6979040D8254}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index168.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2990.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2146.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24CF.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7B29.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JZRXIKAIMS\Microsoft.VisualBasic.Compatibility.Data.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index166.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP68B2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	GROOVE.EXE
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2250.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23D6.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2896.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

ehRec.exeelevation_service.exeGROOVE.EXE

pid	process
2124	ehRec.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1348	GROOVE.EXE
1348	GROOVE.EXE
1348	GROOVE.EXE
1348	GROOVE.EXE
1348	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1228	1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: 33	884	EhTray.exe
Token: SeIncBasePriorityPrivilege	884	EhTray.exe
Token: SeDebugPrivilege	2124	ehRec.exe
Token: SeRestorePrivilege	2176	msiexec.exe
Token: SeTakeOwnershipPrivilege	2176	msiexec.exe
Token: SeSecurityPrivilege	2176	msiexec.exe
Token: 33	884	EhTray.exe
Token: SeIncBasePriorityPrivilege	884	EhTray.exe
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe
Token: SeBackupPrivilege	1988	wbengine.exe
Token: SeRestorePrivilege	1988	wbengine.exe
Token: SeSecurityPrivilege	1988	wbengine.exe
Token: 33	2216	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2216	wmpnetwk.exe
Token: SeManageVolumePrivilege	1928	SearchIndexer.exe
Token: 33	1928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1928	SearchIndexer.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeDebugPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeDebugPrivilege	1620	elevation_service.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1932	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

884 EhTray.exe
884 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

884 EhTray.exe
884 EhTray.exe

pid	process
884	EhTray.exe
884	EhTray.exe

pid	process
884	EhTray.exe
884	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

SearchProtocolHost.exe

pid	process
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe
2660	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SearchIndexer.exemscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 1928 wrote to memory of 2660	1928	SearchIndexer.exe	SearchProtocolHost.exe
PID 1928 wrote to memory of 2660	1928	SearchIndexer.exe	SearchProtocolHost.exe
PID 1928 wrote to memory of 2660	1928	SearchIndexer.exe	SearchProtocolHost.exe
PID 1928 wrote to memory of 1292	1928	SearchIndexer.exe	SearchFilterHost.exe
PID 1928 wrote to memory of 1292	1928	SearchIndexer.exe	SearchFilterHost.exe
PID 1928 wrote to memory of 1292	1928	SearchIndexer.exe	SearchFilterHost.exe
PID 1932 wrote to memory of 764	1932	mscorsvw.exe	mscorsvw.exe
PID 1932 wrote to memory of 764	1932	mscorsvw.exe	mscorsvw.exe
PID 1932 wrote to memory of 764	1932	mscorsvw.exe	mscorsvw.exe
PID 1932 wrote to memory of 2564	1932	mscorsvw.exe	mscorsvw.exe
PID 1932 wrote to memory of 2564	1932	mscorsvw.exe	mscorsvw.exe
PID 1932 wrote to memory of 2564	1932	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2668	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2668	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2668	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2668	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2364	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2364	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2364	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2364	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2672	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2672	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2672	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2672	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1352	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1352	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1352	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1352	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1456	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1456	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1456	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1456	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2184	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2184	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2184	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2184	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2204	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2204	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2204	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2204	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2612	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2612	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2612	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2612	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 320	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 320	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 320	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 320	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2656	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2656	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2656	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2656	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1540	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1540	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1540	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1540	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2404	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2404	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2404	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 2404	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1796	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1796	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1796	2016	mscorsvw.exe	mscorsvw.exe
PID 2016 wrote to memory of 1796	2016	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe
"C:\Users\Admin\AppData\Local\Temp\1321714049bc6d570af998d1b1149f91c5b34e1a05129c82d256457f54a84d8f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2900

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 228 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2e0 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f4 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 26c -NGENProcess 2cc -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 230 -NGENProcess 2ec -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2cc -NGENProcess 2e8 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 26c -NGENProcess 2c8 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 310 -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 310 -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d4 -NGENProcess 230 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 314 -NGENProcess 31c -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2c8 -NGENProcess 230 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 310 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 328 -NGENProcess 2f8 -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2fc -NGENProcess 32c -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 26c -NGENProcess 334 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 31c -NGENProcess 2fc -Pipe 33c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 338 -Pipe 310 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 334 -NGENProcess 2d4 -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 334 -NGENProcess 320 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 350 -NGENProcess 2d4 -Pipe 34c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2e0 -NGENProcess 270 -Pipe 234 -Comment "NGen Worker Process"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 268 -NGENProcess 320 -Pipe 270 -Comment "NGen Worker Process"
2⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 35c -NGENProcess 2f8 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 350 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 320 -Pipe 200 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 350 -NGENProcess 320 -Pipe 268 -Comment "NGen Worker Process"
2⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 370 -NGENProcess 368 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 364 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 378 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 320 -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 380 -NGENProcess 364 -Pipe 350 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 364 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 388 -NGENProcess 370 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 380 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 390 -NGENProcess 378 -Pipe 320 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 378 -NGENProcess 388 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 398 -NGENProcess 380 -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 35c -NGENProcess 380 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 354 -NGENProcess 3a0 -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3a0 -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a8 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 380 -NGENProcess 354 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3b0 -NGENProcess 394 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 394 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b8 -NGENProcess 354 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 354 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3c0 -NGENProcess 3a8 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3a8 -NGENProcess 3b8 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 2d4 -NGENProcess 3c8 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 3c8 -NGENProcess 3b0 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 314 -NGENProcess 388 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 388 -NGENProcess 3b0 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3e8 -NGENProcess 354 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 354 -NGENProcess 314 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3f0 -NGENProcess 3b0 -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b0 -NGENProcess 3e8 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3f8 -NGENProcess 314 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3e8 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 314 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 314 -NGENProcess 3fc -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 3fc -NGENProcess 3f0 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 414 -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 404 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3f0 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 40c -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 410 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3f0 -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 40c -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 410 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3f0 -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 3f0 -NGENProcess 40c -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 420 -NGENProcess 438 -Pipe 424 -Comment "NGen Worker Process"
2⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 440 -NGENProcess 430 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 40c -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 438 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 430 -Pipe 434 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 40c -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 438 -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 430 -Pipe 440 -Comment "NGen Worker Process"
2⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 454 -Pipe 444 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 430 -Pipe 448 -Comment "NGen Worker Process"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 438 -Pipe 44c -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 454 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 430 -Pipe 450 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 438 -Pipe 458 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 454 -Pipe 45c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 474 -NGENProcess 430 -Pipe 460 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 430 -NGENProcess 474 -Pipe 47c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 480 -NGENProcess 454 -Pipe 468 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 464 -Pipe 46c -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 474 -Pipe 470 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 48c -NGENProcess 454 -Pipe 438 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 490 -NGENProcess 464 -Pipe 478 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 494 -NGENProcess 474 -Pipe 430 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 498 -NGENProcess 454 -Pipe 480 -Comment "NGen Worker Process"
2⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 228 -NGENProcess 2d8 -Pipe 490 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 494 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 48c -NGENProcess 464 -Pipe 484 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 464 -NGENProcess 228 -Pipe 474 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 488 -NGENProcess 2e4 -Pipe 49c -Comment "NGen Worker Process"
2⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 2e4 -NGENProcess 48c -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 4a4 -NGENProcess 228 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4a8 -NGENProcess 4a0 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4a0 -NGENProcess 2e4 -Pipe 48c -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4b0 -NGENProcess 228 -Pipe 454 -Comment "NGen Worker Process"
2⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 4ac -Pipe 488 -Comment "NGen Worker Process"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 2e4 -Pipe 4a4 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4bc -NGENProcess 228 -Pipe 464 -Comment "NGen Worker Process"
2⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 4ac -Pipe 4a8 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 2e4 -Pipe 4a0 -Comment "NGen Worker Process"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 228 -Pipe 4b0 -Comment "NGen Worker Process"
2⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 4ac -Pipe 4b4 -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 2e4 -Pipe 4b8 -Comment "NGen Worker Process"
2⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 228 -Pipe 4bc -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4d8 -NGENProcess 4ac -Pipe 4c0 -Comment "NGen Worker Process"
2⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 2e4 -Pipe 4c4 -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e8 -NGENProcess 228 -Pipe 4e4 -Comment "NGen Worker Process"
2⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4cc -Pipe 4e0 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 2e4 -Pipe 4d0 -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 228 -Pipe 4d4 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 4cc -Pipe 4d8 -Comment "NGen Worker Process"
2⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 2e4 -Pipe 4dc -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 228 -Pipe 4e8 -Comment "NGen Worker Process"
2⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 228 -NGENProcess 4f8 -Pipe 4cc -Comment "NGen Worker Process"
2⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 508 -NGENProcess 2e4 -Pipe 4f0 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 2e4 -NGENProcess 500 -Pipe 504 -Comment "NGen Worker Process"
2⤵
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 510 -NGENProcess 4f8 -Pipe 4fc -Comment "NGen Worker Process"
2⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 50c -Pipe 4ec -Comment "NGen Worker Process"
2⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 500 -Pipe 228 -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 158 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 158 -NGENProcess 15c -Pipe 16c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 154 -InterruptEvent 19c -NGENProcess 17c -Pipe 148 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 1f8 -NGENProcess 1e8 -Pipe 1f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1fc -NGENProcess 1d0 -Pipe 1f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 200 -NGENProcess 17c -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 204 -NGENProcess 1e8 -Pipe 1a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 208 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 210 -NGENProcess 1f8 -Pipe 154 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1f8 -NGENProcess 204 -Pipe 20c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 218 -NGENProcess 1e8 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1e8 -NGENProcess 210 -Pipe 214 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 220 -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 204 -NGENProcess 218 -Pipe 21c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 228 -NGENProcess 210 -Pipe 1f8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 210 -NGENProcess 220 -Pipe 224 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 230 -NGENProcess 218 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 218 -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 218 -NGENProcess 230 -Pipe 220 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 230 -NGENProcess 210 -Pipe 228 -Comment "NGen Worker Process"
2⤵
PID:2928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 240 -NGENProcess 1fc -Pipe 19c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1fc -NGENProcess 218 -Pipe 204 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 248 -NGENProcess 210 -Pipe 238 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 210 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 250 -NGENProcess 218 -Pipe 230 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 218 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
2⤵
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 258 -NGENProcess 240 -Pipe 1fc -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
2⤵
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 248 -Pipe 210 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 250 -Pipe 218 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
2⤵
PID:1120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
2⤵
PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"
2⤵
PID:580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 284 -Pipe 17c -Comment "NGen Worker Process"
2⤵
PID:1484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:2220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
2⤵
PID:2284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2ac -Pipe 288 -Comment "NGen Worker Process"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:1064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 234 -Comment "NGen Worker Process"
2⤵
PID:988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 280 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
PID:764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
PID:1468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 290 -Comment "NGen Worker Process"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2c4 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 2a4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:1964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
2⤵
PID:2308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 280 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2ac -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
PID:2928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 280 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2a4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
PID:380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2ac -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:1228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 280 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2a4 -Pipe 2d4 -Comment "NGen Worker Process"
2⤵
PID:884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2ac -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 280 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2a4 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2ac -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 280 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2a4 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2fc -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
2⤵
PID:1964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 2a4 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 310 -NGENProcess 304 -Pipe 268 -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2a4 -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
PID:784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 304 -Pipe 310 -Comment "NGen Worker Process"
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:1364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2a4 -Pipe 318 -Comment "NGen Worker Process"
2⤵
PID:2728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 304 -Pipe 31c -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2a4 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 304 -Pipe 328 -Comment "NGen Worker Process"
2⤵
PID:1796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 34c -NGENProcess 2a4 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 280 -Pipe 350 -Comment "NGen Worker Process"
2⤵
PID:1808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 304 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 354 -NGENProcess 2a4 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 280 -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 330 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 354 -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 330 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 35c -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 330 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
PID:2948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 36c -NGENProcess 330 -Pipe 380 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 34c -NGENProcess 37c -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 37c -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 388 -NGENProcess 330 -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 330 -NGENProcess 34c -Pipe 384 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 330 -NGENProcess 388 -Pipe 378 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 388 -NGENProcess 37c -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 398 -NGENProcess 374 -Pipe 35c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 36c -Pipe 394 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 36c -NGENProcess 388 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 390 -NGENProcess 3a0 -Pipe 280 -Comment "NGen Worker Process"
2⤵
PID:2500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a8 -NGENProcess 330 -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:1228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 388 -Pipe 398 -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 330 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:1060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 388 -Pipe 36c -Comment "NGen Worker Process"
2⤵
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a0 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:1104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 330 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 388 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c4 -NGENProcess 3c0 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b0 -NGENProcess 388 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d0 -NGENProcess 3bc -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:2040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3c0 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 388 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3bc -Pipe 3c8 -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 388 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3bc -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c0 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c0 -NGENProcess 3e4 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3f4 -NGENProcess 3bc -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3bc -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
PID:2340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3fc -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3e4 -NGENProcess 3e0 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 404 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 40c -NGENProcess 3bc -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3e0 -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3e0 -NGENProcess 3d8 -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 418 -NGENProcess 3bc -Pipe 3fc -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3bc -NGENProcess 410 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:2380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 420 -NGENProcess 3d8 -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 420 -NGENProcess 3bc -Pipe 41c -Comment "NGen Worker Process"
2⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 3e0 -Comment "NGen Worker Process"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3d8 -NGENProcess 3ec -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 434 -NGENProcess 3e4 -Pipe 430 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 3e4 -NGENProcess 42c -Pipe 3bc -Comment "NGen Worker Process"
2⤵
PID:1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 43c -NGENProcess 3ec -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 438 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:2588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 438 -NGENProcess 3e4 -Pipe 42c -Comment "NGen Worker Process"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 440 -NGENProcess 43c -Pipe 448 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 43c -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 450 -NGENProcess 438 -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:3016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 410 -Pipe 44c -Comment "NGen Worker Process"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 3d8 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 438 -Pipe 434 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 438 -NGENProcess 454 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 464 -NGENProcess 3d8 -Pipe 43c -Comment "NGen Worker Process"
2⤵
PID:2232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 460 -Pipe 450 -Comment "NGen Worker Process"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 454 -Pipe 458 -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 3d8 -Pipe 440 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 3d8 -NGENProcess 468 -Pipe 460 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 478 -NGENProcess 454 -Pipe 438 -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 47c -NGENProcess 474 -Pipe 464 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 3d8 -NGENProcess 484 -Pipe 478 -Comment "NGen Worker Process"
2⤵
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 46c -NGENProcess 474 -Pipe 45c -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 480 -NGENProcess 48c -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 444 -NGENProcess 474 -Pipe 470 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 488 -NGENProcess 494 -Pipe 480 -Comment "NGen Worker Process"
2⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 454 -NGENProcess 474 -Pipe 468 -Comment "NGen Worker Process"
2⤵
PID:2928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 498 -NGENProcess 444 -Pipe 484 -Comment "NGen Worker Process"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 49c -NGENProcess 494 -Pipe 47c -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 474 -Pipe 46c -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4a4 -NGENProcess 444 -Pipe 490 -Comment "NGen Worker Process"
2⤵
PID:2232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4a8 -NGENProcess 494 -Pipe 488 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4b0 -NGENProcess 474 -Pipe 454 -Comment "NGen Worker Process"
2⤵
PID:1512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4ac -NGENProcess 444 -Pipe 498 -Comment "NGen Worker Process"
2⤵
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b4 -NGENProcess 494 -Pipe 49c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 474 -Pipe 4a0 -Comment "NGen Worker Process"
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4bc -NGENProcess 444 -Pipe 4a4 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 494 -Pipe 4a8 -Comment "NGen Worker Process"
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 474 -Pipe 4b0 -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 444 -Pipe 4ac -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 494 -Pipe 4b4 -Comment "NGen Worker Process"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 474 -Pipe 4b8 -Comment "NGen Worker Process"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 444 -Pipe 4bc -Comment "NGen Worker Process"
2⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4d8 -NGENProcess 494 -Pipe 4c0 -Comment "NGen Worker Process"
2⤵
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 474 -Pipe 4c4 -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 444 -Pipe 4c8 -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 494 -Pipe 4cc -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 474 -Pipe 4d0 -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 444 -Pipe 4d4 -Comment "NGen Worker Process"
2⤵
PID:1904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 494 -Pipe 4d8 -Comment "NGen Worker Process"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 474 -Pipe 4dc -Comment "NGen Worker Process"
2⤵
PID:3028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 444 -Pipe 4e0 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 494 -Pipe 4e4 -Comment "NGen Worker Process"
2⤵
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 474 -Pipe 4e8 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 444 -Pipe 4ec -Comment "NGen Worker Process"
2⤵
PID:568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 494 -Pipe 4f0 -Comment "NGen Worker Process"
2⤵
PID:1848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 474 -Pipe 4f4 -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 444 -Pipe 4f8 -Comment "NGen Worker Process"
2⤵
PID:2948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 494 -Pipe 4fc -Comment "NGen Worker Process"
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 474 -Pipe 500 -Comment "NGen Worker Process"
2⤵
PID:2136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 444 -Pipe 504 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 494 -Pipe 508 -Comment "NGen Worker Process"
2⤵
PID:2964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 474 -Pipe 50c -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 444 -Pipe 510 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 494 -Pipe 514 -Comment "NGen Worker Process"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 474 -Pipe 518 -Comment "NGen Worker Process"
2⤵
PID:2160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 444 -Pipe 51c -Comment "NGen Worker Process"
2⤵
PID:2652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 494 -Pipe 520 -Comment "NGen Worker Process"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 474 -Pipe 524 -Comment "NGen Worker Process"
2⤵
PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 540 -NGENProcess 444 -Pipe 528 -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 544 -NGENProcess 494 -Pipe 52c -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 548 -NGENProcess 474 -Pipe 530 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 444 -Pipe 534 -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 494 -Pipe 538 -Comment "NGen Worker Process"
2⤵
PID:744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 474 -Pipe 53c -Comment "NGen Worker Process"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 554 -NGENProcess 550 -Pipe 444 -Comment "NGen Worker Process"
2⤵
PID:2316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 540 -NGENProcess 474 -Pipe 544 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 560 -NGENProcess 54c -Pipe 48c -Comment "NGen Worker Process"
2⤵
PID:328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 550 -Pipe 55c -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 474 -Pipe 548 -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 54c -Pipe 558 -Comment "NGen Worker Process"
2⤵
PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 570 -NGENProcess 550 -Pipe 554 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 574 -NGENProcess 474 -Pipe 540 -Comment "NGen Worker Process"
2⤵
PID:1312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 57c -NGENProcess 54c -Pipe 578 -Comment "NGen Worker Process"
2⤵
PID:744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 560 -NGENProcess 494 -Pipe 550 -Comment "NGen Worker Process"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 580 -NGENProcess 568 -Pipe 564 -Comment "NGen Worker Process"
2⤵
PID:2960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 54c -Pipe 56c -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 494 -Pipe 570 -Comment "NGen Worker Process"
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 568 -Pipe 574 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 590 -NGENProcess 54c -Pipe 57c -Comment "NGen Worker Process"
2⤵
PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 594 -NGENProcess 494 -Pipe 560 -Comment "NGen Worker Process"
2⤵
PID:944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 568 -Pipe 580 -Comment "NGen Worker Process"
2⤵
PID:2820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 54c -Pipe 584 -Comment "NGen Worker Process"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 5a0 -NGENProcess 494 -Pipe 588 -Comment "NGen Worker Process"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a0 -InterruptEvent 5a4 -NGENProcess 568 -Pipe 58c -Comment "NGen Worker Process"
2⤵
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a4 -InterruptEvent 5a8 -NGENProcess 54c -Pipe 590 -Comment "NGen Worker Process"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 5ac -NGENProcess 494 -Pipe 594 -Comment "NGen Worker Process"
2⤵
PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5b0 -InterruptEvent 5ac -NGENProcess 5a8 -Pipe 568 -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5ac -InterruptEvent 598 -NGENProcess 494 -Pipe 59c -Comment "NGen Worker Process"
2⤵
PID:716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5b8 -InterruptEvent 598 -NGENProcess 5ac -Pipe 5a4 -Comment "NGen Worker Process"
2⤵
PID:1536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 474 -NGENProcess 494 -Pipe 5b4 -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 5c0 -NGENProcess 5b0 -Pipe 54c -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5c0 -InterruptEvent 5c4 -NGENProcess 5ac -Pipe 5bc -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5c4 -InterruptEvent 5c8 -NGENProcess 494 -Pipe 5a0 -Comment "NGen Worker Process"
2⤵
PID:1908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5c8 -InterruptEvent 5cc -NGENProcess 5b0 -Pipe 5b8 -Comment "NGen Worker Process"
2⤵
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5cc -InterruptEvent 5d0 -NGENProcess 5ac -Pipe 598 -Comment "NGen Worker Process"
2⤵
PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5d0 -InterruptEvent 5d4 -NGENProcess 494 -Pipe 474 -Comment "NGen Worker Process"
2⤵
PID:1244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5d4 -InterruptEvent 5d8 -NGENProcess 5b0 -Pipe 5c0 -Comment "NGen Worker Process"
2⤵
PID:1104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5d8 -InterruptEvent 5dc -NGENProcess 5ac -Pipe 5c4 -Comment "NGen Worker Process"
2⤵
PID:2380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5dc -InterruptEvent 5e0 -NGENProcess 494 -Pipe 5c8 -Comment "NGen Worker Process"
2⤵
PID:1808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5e0 -InterruptEvent 5e4 -NGENProcess 5b0 -Pipe 5cc -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5e4 -InterruptEvent 5e8 -NGENProcess 5ac -Pipe 5d0 -Comment "NGen Worker Process"
2⤵
PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5e8 -InterruptEvent 5ec -NGENProcess 494 -Pipe 5d4 -Comment "NGen Worker Process"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5ec -InterruptEvent 5f0 -NGENProcess 5b0 -Pipe 5d8 -Comment "NGen Worker Process"
2⤵
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5f0 -InterruptEvent 5f4 -NGENProcess 5ac -Pipe 5dc -Comment "NGen Worker Process"
2⤵
PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5f4 -InterruptEvent 5f8 -NGENProcess 494 -Pipe 5e0 -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5f8 -InterruptEvent 5fc -NGENProcess 5b0 -Pipe 5e4 -Comment "NGen Worker Process"
2⤵
PID:2332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5fc -InterruptEvent 600 -NGENProcess 5ac -Pipe 5e8 -Comment "NGen Worker Process"
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 600 -InterruptEvent 604 -NGENProcess 494 -Pipe 5ec -Comment "NGen Worker Process"
2⤵
PID:744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 604 -InterruptEvent 608 -NGENProcess 5b0 -Pipe 5f0 -Comment "NGen Worker Process"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 60c -NGENProcess 5ac -Pipe 5f4 -Comment "NGen Worker Process"
2⤵
PID:2588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 60c -InterruptEvent 610 -NGENProcess 494 -Pipe 5f8 -Comment "NGen Worker Process"
2⤵
PID:1908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 610 -InterruptEvent 614 -NGENProcess 5b0 -Pipe 5fc -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 614 -InterruptEvent 618 -NGENProcess 5ac -Pipe 600 -Comment "NGen Worker Process"
2⤵
PID:1064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 61c -NGENProcess 494 -Pipe 604 -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 61c -InterruptEvent 620 -NGENProcess 5b0 -Pipe 608 -Comment "NGen Worker Process"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 624 -NGENProcess 5ac -Pipe 60c -Comment "NGen Worker Process"
2⤵
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 624 -InterruptEvent 628 -NGENProcess 494 -Pipe 610 -Comment "NGen Worker Process"
2⤵
PID:2832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 628 -InterruptEvent 62c -NGENProcess 5b0 -Pipe 614 -Comment "NGen Worker Process"
2⤵
PID:2388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 630 -NGENProcess 5ac -Pipe 618 -Comment "NGen Worker Process"
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 630 -InterruptEvent 634 -NGENProcess 494 -Pipe 61c -Comment "NGen Worker Process"
2⤵
PID:2444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 634 -InterruptEvent 638 -NGENProcess 62c -Pipe 628 -Comment "NGen Worker Process"
2⤵
PID:320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 638 -InterruptEvent 620 -NGENProcess 494 -Pipe 624 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 640 -InterruptEvent 634 -NGENProcess 644 -Pipe 638 -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 634 -InterruptEvent 5a8 -NGENProcess 494 -Pipe 63c -Comment "NGen Worker Process"
2⤵
PID:1104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 494 -NGENProcess 630 -Pipe 64c -Comment "NGen Worker Process"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 5ac -NGENProcess 648 -Pipe 5b0 -Comment "NGen Worker Process"
2⤵
PID:2012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 650 -InterruptEvent 5ac -NGENProcess 494 -Pipe 634 -Comment "NGen Worker Process"
2⤵
PID:480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 5ac -InterruptEvent 62c -NGENProcess 648 -Pipe 620 -Comment "NGen Worker Process"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 658 -InterruptEvent 650 -NGENProcess 65c -Pipe 5ac -Comment "NGen Worker Process"
2⤵
PID:1168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 650 -InterruptEvent 644 -NGENProcess 648 -Pipe 654 -Comment "NGen Worker Process"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 644 -InterruptEvent 660 -NGENProcess 62c -Pipe 630 -Comment "NGen Worker Process"
2⤵
PID:1904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 660 -InterruptEvent 664 -NGENProcess 65c -Pipe 640 -Comment "NGen Worker Process"
2⤵
PID:1896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 664 -InterruptEvent 668 -NGENProcess 648 -Pipe 5a8 -Comment "NGen Worker Process"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 66c -NGENProcess 62c -Pipe 658 -Comment "NGen Worker Process"
2⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 66c -InterruptEvent 670 -NGENProcess 65c -Pipe 650 -Comment "NGen Worker Process"
2⤵
PID:1436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 674 -NGENProcess 648 -Pipe 644 -Comment "NGen Worker Process"
2⤵
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 678 -NGENProcess 62c -Pipe 660 -Comment "NGen Worker Process"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 678 -InterruptEvent 67c -NGENProcess 65c -Pipe 664 -Comment "NGen Worker Process"
2⤵
PID:2972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 678 -NGENProcess 668 -Pipe 65c -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 678 -InterruptEvent 668 -NGENProcess 67c -Pipe 494 -Comment "NGen Worker Process"
2⤵
PID:284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 6a0 -NGENProcess 68c -Pipe 694 -Comment "NGen Worker Process"
2⤵
PID:1316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6a0 -InterruptEvent 68c -NGENProcess 678 -Pipe 69c -Comment "NGen Worker Process"
2⤵
PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 68c -InterruptEvent 6a8 -NGENProcess 67c -Pipe 62c -Comment "NGen Worker Process"
2⤵
PID:2952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6a8 -InterruptEvent 6ac -NGENProcess 6a4 -Pipe 698 -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6b0 -InterruptEvent 6ac -NGENProcess 6a8 -Pipe 678 -Comment "NGen Worker Process"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6ac -InterruptEvent 668 -NGENProcess 6a4 -Pipe 688 -Comment "NGen Worker Process"
2⤵
PID:2972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 6b8 -NGENProcess 68c -Pipe 690 -Comment "NGen Worker Process"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6b8 -InterruptEvent 6bc -NGENProcess 6a8 -Pipe 6b4 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6bc -InterruptEvent 6c0 -NGENProcess 6a4 -Pipe 6a0 -Comment "NGen Worker Process"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6c0 -InterruptEvent 6c4 -NGENProcess 68c -Pipe 6b0 -Comment "NGen Worker Process"
2⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6c4 -InterruptEvent 68c -NGENProcess 6b8 -Pipe 6cc -Comment "NGen Worker Process"
2⤵
PID:336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 68c -InterruptEvent 6ac -NGENProcess 6c8 -Pipe 668 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6d0 -InterruptEvent 6ac -NGENProcess 68c -Pipe 6c0 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6ac -InterruptEvent 67c -NGENProcess 6c8 -Pipe 6a8 -Comment "NGen Worker Process"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6d8 -InterruptEvent 67c -NGENProcess 6ac -Pipe 6c4 -Comment "NGen Worker Process"
2⤵
PID:860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 67c -InterruptEvent 6a4 -NGENProcess 6c8 -Pipe 6d4 -Comment "NGen Worker Process"
2⤵
PID:2616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6a4 -InterruptEvent 6e0 -NGENProcess 6d0 -Pipe 6b8 -Comment "NGen Worker Process"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6e0 -InterruptEvent 6e4 -NGENProcess 6ac -Pipe 6dc -Comment "NGen Worker Process"
2⤵
PID:2836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6e4 -InterruptEvent 6e8 -NGENProcess 6c8 -Pipe 6bc -Comment "NGen Worker Process"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6e8 -InterruptEvent 6ec -NGENProcess 6d0 -Pipe 6d8 -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6ec -InterruptEvent 6f0 -NGENProcess 6ac -Pipe 67c -Comment "NGen Worker Process"
2⤵
PID:336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f0 -InterruptEvent 6f4 -NGENProcess 6c8 -Pipe 6a4 -Comment "NGen Worker Process"
2⤵
PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f4 -InterruptEvent 6f8 -NGENProcess 6d0 -Pipe 6e0 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f8 -InterruptEvent 6fc -NGENProcess 6ac -Pipe 6e4 -Comment "NGen Worker Process"
2⤵
PID:1972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6fc -InterruptEvent 700 -NGENProcess 6c8 -Pipe 6e8 -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 704 -NGENProcess 6d0 -Pipe 6ec -Comment "NGen Worker Process"
2⤵
PID:2616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 704 -InterruptEvent 708 -NGENProcess 6ac -Pipe 6f0 -Comment "NGen Worker Process"
2⤵
PID:1436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 708 -InterruptEvent 70c -NGENProcess 6c8 -Pipe 6f4 -Comment "NGen Worker Process"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 710 -InterruptEvent 70c -NGENProcess 708 -Pipe 6d0 -Comment "NGen Worker Process"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 70c -InterruptEvent 6f8 -NGENProcess 6c8 -Pipe 6fc -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f8 -InterruptEvent 718 -NGENProcess 704 -Pipe 68c -Comment "NGen Worker Process"
2⤵
PID:1244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 718 -InterruptEvent 71c -NGENProcess 708 -Pipe 714 -Comment "NGen Worker Process"
2⤵
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 720 -InterruptEvent 6f8 -NGENProcess 724 -Pipe 718 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 6f8 -InterruptEvent 700 -NGENProcess 708 -Pipe 710 -Comment "NGen Worker Process"
2⤵
PID:2284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 700 -InterruptEvent 728 -NGENProcess 71c -Pipe 6ac -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 728 -InterruptEvent 72c -NGENProcess 724 -Pipe 70c -Comment "NGen Worker Process"
2⤵
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 72c -InterruptEvent 730 -NGENProcess 708 -Pipe 6c8 -Comment "NGen Worker Process"
2⤵
PID:2012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 730 -InterruptEvent 734 -NGENProcess 71c -Pipe 720 -Comment "NGen Worker Process"
2⤵
PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 734 -InterruptEvent 738 -NGENProcess 724 -Pipe 6f8 -Comment "NGen Worker Process"
2⤵
PID:2948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 738 -InterruptEvent 73c -NGENProcess 708 -Pipe 700 -Comment "NGen Worker Process"
2⤵
PID:892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 73c -InterruptEvent 740 -NGENProcess 71c -Pipe 728 -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 740 -InterruptEvent 744 -NGENProcess 724 -Pipe 72c -Comment "NGen Worker Process"
2⤵
PID:2040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 744 -InterruptEvent 748 -NGENProcess 708 -Pipe 730 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 748 -InterruptEvent 74c -NGENProcess 71c -Pipe 734 -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 74c -InterruptEvent 750 -NGENProcess 744 -Pipe 740 -Comment "NGen Worker Process"
2⤵
PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 750 -InterruptEvent 738 -NGENProcess 71c -Pipe 73c -Comment "NGen Worker Process"
2⤵
PID:1272

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 738 -InterruptEvent 758 -NGENProcess 748 -Pipe 704 -Comment "NGen Worker Process"
2⤵
PID:2012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 758 -InterruptEvent 75c -NGENProcess 744 -Pipe 754 -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 75c -InterruptEvent 760 -NGENProcess 71c -Pipe 724 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 760 -InterruptEvent 764 -NGENProcess 748 -Pipe 74c -Comment "NGen Worker Process"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 764 -InterruptEvent 768 -NGENProcess 744 -Pipe 750 -Comment "NGen Worker Process"
2⤵
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 768 -InterruptEvent 76c -NGENProcess 71c -Pipe 738 -Comment "NGen Worker Process"
2⤵
PID:1100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 76c -InterruptEvent 770 -NGENProcess 748 -Pipe 758 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 770 -InterruptEvent 774 -NGENProcess 744 -Pipe 75c -Comment "NGen Worker Process"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 774 -InterruptEvent 778 -NGENProcess 71c -Pipe 760 -Comment "NGen Worker Process"
2⤵
PID:692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 778 -InterruptEvent 77c -NGENProcess 748 -Pipe 764 -Comment "NGen Worker Process"
2⤵
PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 77c -InterruptEvent 780 -NGENProcess 744 -Pipe 768 -Comment "NGen Worker Process"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 780 -InterruptEvent 784 -NGENProcess 71c -Pipe 76c -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 784 -InterruptEvent 788 -NGENProcess 748 -Pipe 770 -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 788 -InterruptEvent 78c -NGENProcess 744 -Pipe 774 -Comment "NGen Worker Process"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 78c -InterruptEvent 790 -NGENProcess 71c -Pipe 778 -Comment "NGen Worker Process"
2⤵
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 790 -InterruptEvent 794 -NGENProcess 748 -Pipe 77c -Comment "NGen Worker Process"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 794 -InterruptEvent 798 -NGENProcess 744 -Pipe 780 -Comment "NGen Worker Process"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 798 -InterruptEvent 79c -NGENProcess 71c -Pipe 784 -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 79c -InterruptEvent 71c -NGENProcess 790 -Pipe 7a4 -Comment "NGen Worker Process"
2⤵
PID:480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 71c -InterruptEvent 788 -NGENProcess 7a0 -Pipe 78c -Comment "NGen Worker Process"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 71c -InterruptEvent 18c -NGENProcess 79c -Pipe 798 -Comment "NGen Worker Process"
2⤵
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 744 -NGENProcess 788 -Pipe 794 -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 744 -InterruptEvent 7ac -NGENProcess 708 -Pipe 748 -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7ac -InterruptEvent 7a0 -NGENProcess 790 -Pipe 79c -Comment "NGen Worker Process"
2⤵
PID:540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7a0 -InterruptEvent 7b4 -NGENProcess 7a8 -Pipe 7b0 -Comment "NGen Worker Process"
2⤵
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7b4 -InterruptEvent 744 -NGENProcess 788 -Pipe 190 -Comment "NGen Worker Process"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 744 -InterruptEvent 71c -NGENProcess 708 -Pipe 790 -Comment "NGen Worker Process"
2⤵
PID:1392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 71c -InterruptEvent 7b8 -NGENProcess 7a8 -Pipe 144 -Comment "NGen Worker Process"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7b8 -InterruptEvent 7a8 -NGENProcess 7b4 -Pipe 7c0 -Comment "NGen Worker Process"
2⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7a8 -InterruptEvent 7ac -NGENProcess 7bc -Pipe 7a0 -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7ac -InterruptEvent 7c4 -NGENProcess 71c -Pipe 18c -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7c4 -InterruptEvent 7c8 -NGENProcess 7b4 -Pipe 788 -Comment "NGen Worker Process"
2⤵
PID:2280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7c8 -InterruptEvent 7cc -NGENProcess 7bc -Pipe 744 -Comment "NGen Worker Process"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7cc -InterruptEvent 7d0 -NGENProcess 71c -Pipe 7b8 -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7d0 -InterruptEvent 7d4 -NGENProcess 7b4 -Pipe 7a8 -Comment "NGen Worker Process"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7d4 -InterruptEvent 7d8 -NGENProcess 7bc -Pipe 7ac -Comment "NGen Worker Process"
2⤵
PID:2952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7d8 -InterruptEvent 7dc -NGENProcess 71c -Pipe 7c4 -Comment "NGen Worker Process"
2⤵
PID:1852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7dc -InterruptEvent 7e0 -NGENProcess 7b4 -Pipe 7c8 -Comment "NGen Worker Process"
2⤵
PID:2792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7e0 -InterruptEvent 7e4 -NGENProcess 7bc -Pipe 7cc -Comment "NGen Worker Process"
2⤵
PID:1796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7e4 -InterruptEvent 7e8 -NGENProcess 71c -Pipe 7d0 -Comment "NGen Worker Process"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7e8 -InterruptEvent 7ec -NGENProcess 7b4 -Pipe 7d4 -Comment "NGen Worker Process"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7ec -InterruptEvent 7f0 -NGENProcess 7bc -Pipe 7d8 -Comment "NGen Worker Process"
2⤵
PID:328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7f0 -InterruptEvent 7f4 -NGENProcess 71c -Pipe 7dc -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7f4 -InterruptEvent 7f8 -NGENProcess 7b4 -Pipe 7e0 -Comment "NGen Worker Process"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7f8 -InterruptEvent 7fc -NGENProcess 7bc -Pipe 7e4 -Comment "NGen Worker Process"
2⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7fc -InterruptEvent 804 -NGENProcess 71c -Pipe 7e8 -Comment "NGen Worker Process"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 804 -InterruptEvent 808 -NGENProcess 7b4 -Pipe 7ec -Comment "NGen Worker Process"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 808 -InterruptEvent 80c -NGENProcess 7bc -Pipe 7f0 -Comment "NGen Worker Process"
2⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 80c -InterruptEvent 810 -NGENProcess 71c -Pipe 7f4 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 810 -InterruptEvent 814 -NGENProcess 7b4 -Pipe 7f8 -Comment "NGen Worker Process"
2⤵
PID:2940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 814 -InterruptEvent 818 -NGENProcess 7bc -Pipe 7fc -Comment "NGen Worker Process"
2⤵
PID:744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 818 -InterruptEvent 81c -NGENProcess 71c -Pipe 804 -Comment "NGen Worker Process"
2⤵
PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 81c -InterruptEvent 820 -NGENProcess 7b4 -Pipe 808 -Comment "NGen Worker Process"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 820 -InterruptEvent 824 -NGENProcess 7bc -Pipe 80c -Comment "NGen Worker Process"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 824 -InterruptEvent 828 -NGENProcess 71c -Pipe 810 -Comment "NGen Worker Process"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 828 -InterruptEvent 82c -NGENProcess 7b4 -Pipe 814 -Comment "NGen Worker Process"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 82c -InterruptEvent 830 -NGENProcess 7bc -Pipe 818 -Comment "NGen Worker Process"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 830 -InterruptEvent 834 -NGENProcess 71c -Pipe 81c -Comment "NGen Worker Process"
2⤵
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 834 -InterruptEvent 838 -NGENProcess 7b4 -Pipe 820 -Comment "NGen Worker Process"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 838 -InterruptEvent 83c -NGENProcess 7bc -Pipe 824 -Comment "NGen Worker Process"
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 83c -InterruptEvent 840 -NGENProcess 71c -Pipe 828 -Comment "NGen Worker Process"
2⤵
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 840 -InterruptEvent 844 -NGENProcess 7b4 -Pipe 82c -Comment "NGen Worker Process"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 844 -InterruptEvent 848 -NGENProcess 7bc -Pipe 830 -Comment "NGen Worker Process"
2⤵
PID:2220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 848 -InterruptEvent 84c -NGENProcess 71c -Pipe 834 -Comment "NGen Worker Process"
2⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 84c -InterruptEvent 71c -NGENProcess 840 -Pipe 854 -Comment "NGen Worker Process"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 71c -InterruptEvent 838 -NGENProcess 850 -Pipe 83c -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 838 -InterruptEvent 858 -NGENProcess 848 -Pipe 708 -Comment "NGen Worker Process"
2⤵
PID:988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 858 -InterruptEvent 85c -NGENProcess 840 -Pipe 844 -Comment "NGen Worker Process"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 85c -InterruptEvent 864 -NGENProcess 850 -Pipe 860 -Comment "NGen Worker Process"
2⤵
PID:2244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 864 -InterruptEvent 7b4 -NGENProcess 7bc -Pipe 848 -Comment "NGen Worker Process"
2⤵
PID:2480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7b4 -InterruptEvent 868 -NGENProcess 838 -Pipe 84c -Comment "NGen Worker Process"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 868 -InterruptEvent 86c -NGENProcess 850 -Pipe 71c -Comment "NGen Worker Process"
2⤵
PID:1924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 86c -InterruptEvent 870 -NGENProcess 7bc -Pipe 858 -Comment "NGen Worker Process"
2⤵
PID:1040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 870 -InterruptEvent 874 -NGENProcess 838 -Pipe 85c -Comment "NGen Worker Process"
2⤵
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 874 -InterruptEvent 878 -NGENProcess 850 -Pipe 864 -Comment "NGen Worker Process"
2⤵
PID:2720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 878 -InterruptEvent 87c -NGENProcess 7bc -Pipe 7b4 -Comment "NGen Worker Process"
2⤵
PID:1536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 87c -InterruptEvent 880 -NGENProcess 838 -Pipe 868 -Comment "NGen Worker Process"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 878 -InterruptEvent 850 -NGENProcess 86c -Pipe 884 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 880 -InterruptEvent 7bc -NGENProcess 870 -Pipe 888 -Comment "NGen Worker Process"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 850 -InterruptEvent 838 -NGENProcess 874 -Pipe 88c -Comment "NGen Worker Process"
2⤵
PID:1052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 7bc -InterruptEvent 840 -NGENProcess 878 -Pipe 890 -Comment "NGen Worker Process"
2⤵
- Drops file in Windows directory
PID:2536

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:452

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2540

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
2⤵
PID:1292

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
1.6MB

MD5
8c8c220c7a597c06e599d976ca31e46d

SHA1
7fe0455230c7a571c79b069b85df816f7e604372

SHA256
b33f0f4e8b67b2d4ca23b68c839253d5b892e0969e69143e9d3f19181f85f974

SHA512
e7675d02cb5ab830e7c76362f66262b18369108713c895dcc3372e7b7d969825fd4cae4b673e437793d376245399de17591ca04beeab75148b3432b22b04fc54

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.6MB

MD5
1721c86a17a6af3fc76549606e7870ed

SHA1
9170a04a25792713cb384b7f136fac7c27ee60fb

SHA256
e04494d3e9a1fe63b28e5f3b2bc6c3967caeb90cee5548ac56b353479b440de4

SHA512
666721cf6b4049e182a4d35397c413c02a3af5ed36a4b61f1d206cc10485c83cbbf8c8ec11238094faf77be24092d2fb3638dcc9f5b7de1042263300e8c6fe31

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
1.3MB

MD5
65d77bd83acc44444201609730addf50

SHA1
0f8d664b19f170d93af30a71ac162552e34d87ef

SHA256
d51ad33d96a20be60b7efd4ec02bcf6013fed6a36bbf3622356ee804334073a0

SHA512
4d1f7b86cdee64f385562db8a76455777572cf62c49d20fa5f40b3387c7a53a723f23bc76cf1cb6d6fee186da2f4ebe0b51516e52da090f10ec1fbecadb71d1f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
Filesize
1.9MB

MD5
a21767ace35fc9b93fd0ce67fa2a1525

SHA1
6d399c7c6c2b35fce7861a15692cad4a87c97a69

SHA256
fc476df8c977da0fca0af7cb3f03083c9c5e68e97cf5e8aa33c453cca50ef953

SHA512
23c5877b8df484f1e6fcf06e70eeabb8ab33d332b83ae55152fc6d0faef5e3c7601ed67efd250d3179cc78a490f54284f39cc09b00be6ef717c3cf502e9fde16

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
812ebdbe909ba52dc6d1cb0105d3476d

SHA1
f0f733e86d6d3d793af63075026b8f01a4a008a5

SHA256
c71a08b2d782d3ebb182aed17dadb71fcb2ccf57663c42dc73b643a11327f9b5

SHA512
3e31701b8e9a0da001354d67fdfed88fb128fc37ab4d30261c37096244bd27021bc5ccd8c975fcd4a909f90bb97847dc0c14a669ee0dd441be1bd11c00d94b02

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
e8f7ff522d1a34b727d27c1fefd485ba

SHA1
7552b0a7f2378984bb2a3a581611a52b88b01692

SHA256
5ece90623fd647b58a7bc71b883e914e3b3e4230cd63227e8ebb6eb8a0f0b326

SHA512
e672aa0afa30060174c8f148da2d7b3030cd9fe257c816449f19c566ef46d2f9ef28821fb82682c57b1fa92323a20a428582b5cc3fbb68844e623da4502e9c45

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
e749728ae41e4348930733812f552b36

SHA1
a0e7d18a0770126624feec3da2a4a14fe126fe89

SHA256
c99189023dd267aa198ac2d85d09ae1e8c6af62c345934b784dbaba873f9eee8

SHA512
ae5a167d9c77a740a0881de3ee525613ad2828b4fc2006be20d9d6e9c0fdb2c33006355afae2c02f60a776f500e54065f023b50169d92e46ed472188f5ba22f2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
ace8da092a931764e7a6baa43d466570

SHA1
d3268ef64a35a8bccd3c05bbffd430f67b1ae8d9

SHA256
e8264ed3bfd6d55b909aa42a5d2d64bf79990191dd8141e79e29417105682064

SHA512
de19b4766732058d4364062a64df55574686849b654c122ae79db9b1db91b6879e268c1cb28ac1f93581e3cb2abcfe3d4f1e3e80fdb4e8aa509e266b44c7c599

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
798588d1fc6562f4dea5aa167b1fa992

SHA1
29e2c3de4112bd20d2b001721f1d0a319b3682c0

SHA256
fb6d41755d6cd1dd7fb8391ca2ba61e08f93430dd9579674bf2db92564eb56c7

SHA512
486ea83a6d5f9e88f0d2c42256660e2402562275778e53e3d2b4c8d7fb99bc9508432095d437b86f05dae8f45d142544e7fe6d3449e5a6eea46988f2d04acbe5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
eba168f6a83f23698b2ff08cb207afd5

SHA1
d3b033201c178781f4bfab33defe00e932ec2d20

SHA256
9a8ab6a579a7b82ff1c315a4af7ebceca460bb78363a0f81d704fda17140bccd

SHA512
b3ebf7b65289fd36f8b11468f0b31caede4ea9d25f36d0c362530947d576e6fffef2f9126c0de106b759ad13cac31d9929bc5e6aba6669fb25fbe0959d1ab0f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
8bfd6dbbc778ba3052dc349d94549b46

SHA1
9074ca1d4266408b1efc90649759ef5288105c87

SHA256
ebdfedc3d7b52db46ff4e4cf5872a06e722e89d4d724763792d63ebbb1f0cee9

SHA512
7af7d56ed0047183af0b41efe1df2673d84238e287c38083dd01921efee3cb44d57221e74a9f0eb09d7781b00291fe9e5cfd6296f466eed5c2c166bcef2f4e91

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
32601f56efd3f94da6b0b7169dd98643

SHA1
5c1ab0b54e85b0523d48da027e5683e12fa3972a

SHA256
83b934a563510f280184a0e1be7f7f50f15498a12edd5f017c6ee00407e07f60

SHA512
6709795abe620688554f42f03d3ff98024766dd20cdc763b8133bd0826ce8951b965fdbd88f4fe811ce2ff5db73efe5f869af074f88a067a001d539a5abe7ea0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
97222ba1713ea87c897937047eee639e

SHA1
af53e9cb3ea6cc6f5317bf93565ed180244380a7

SHA256
6e2254b8e5431695570e4f3cecf9d2eb93dcc0a9133324b7f791b6172f08bf4f

SHA512
07ac9ed1c4aee6516c8a8811057c0e1ff71066bf4c96897fa058ba3ad88ff498251d6d82c573a29ba57c59c2d09d05e936a701cf834afb58d96c705532d67168

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
d833cf9ad35400e46e92ef69e0cfbbd3

SHA1
596b9fa44a35f618dc8b7d6e533828c49627768b

SHA256
a93ee6180a567588fe94d3bc86236609c9126fa2ed5e856128c75285f83113bd

SHA512
6463033b79d0f34fd30b22e44dd82e7c30a661f42015fdbb08138cedfaefda72e4a2f5c8b2b11b25db3891310264245eb9ed092818733215dba6fe74d8566545

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
e5e393e784ee4a3c4a14b750e0adcbdb

SHA1
02c61e5ff6931ac1ccaef7f2ca27a7bf1fa8c1ca

SHA256
8671867fc7da9ca7a2aa591eebb97fd5128a02ff93716e17b452465e2fe7a3e2

SHA512
28c20dc3c8e85fe54305b4451a7290ebf5056d18c7db88f56446c5e856c984173b7b427bd40bd940d7aedf64d5a66f0188204fe8df28947e6dea7d4abf9bbf25

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
c46de936994f81f6234c01b975bcfc0a

SHA1
5492ba0dca585c78f6b8e391d36b080f9fd820b0

SHA256
d73e048c3d2ae30c5be582f6b94b82fe9ca9ca35aa11fe348e7f3f4c2369da17

SHA512
c69040ade0e96723f7f2a1603e61c17547520b652973d1e10c18f324342c60a27e956f9aa03592be304d4391dfad38ed1eb88e4efbcfca5ba28a6f28ae65b8b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
4d93d655f8353a51fa24ba3b160f1e85

SHA1
a8de547ed5ea82d808b93c0701aac0f825caddd7

SHA256
13bd6625d2e3409b0e5c9b36dd67219885305eb15518d3ebeebd339159c93d4d

SHA512
9f53de613faa6ca020fb24e7ef9e4fa7f5a21815ba699dd1be2c7e082c0955f0f7348e97342dbecbb70b850be33b0e5966acf29f85af706862420ef699d31558

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
baa075042bd403264c5d45c3079257a8

SHA1
91e2a9cfafa828724c5fe9352aed21a93c3f95a6

SHA256
899b9781ce3fc141028002f4ea0a9268b64a975a321fa5b9284c12cfae3966af

SHA512
528f1d9ea83c994f33b16d13d60dc647c9a4ab70243c4b2cbb70a6fa4e860b6e72c6fc3a645163406c114688ee5cbd2d10c7a3caabe35934ecf2b059f8c211fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe
Filesize
1.4MB

MD5
7316e6df3dac709c4f118c6c5d83eeb7

SHA1
9307b91261304b067ee8d982e4c2b6b7ffaae136

SHA256
eb1e9d2c402c495a784e68b98362e8eb8c976bf96fce9f17775b7f9855254dfc

SHA512
b79694d1264c6fa9cb81bfd913cdc5df7ac0557e22e7812978a8af07b127fc94b9ea7ed0eab3bf71b635cf883a12f5065ca1782545c788c0382195e6c99e1d28

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
2.0MB

MD5
fa3696af452172877c9cfa069f4df873

SHA1
cb7ce29d23f89af6ad5014507f579779f60d8b5c

SHA256
b5d60f4bc06c1496c137bf3d4900d12b29452a573f94e657f7130cf1e675561d

SHA512
9ebb20d2ba06eaab033e3b0ea4d694ff9b3bcfa0703309104689980dab7c8003412bf405910d7aaefce09d8da608e57161b4ee92c29e4260d691b220289c2017

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
Filesize
1024KB

MD5
395b90b5d6e98603b7ffaddbc8383fb3

SHA1
0a6cbbddf032fbc48d9563957c84d12b3d5c2067

SHA256
b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd

SHA512
4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
39d4570ba9143faa60bd5e2b7cbd8c36

SHA1
b816d5de48e81d59e9c5b55cb7649410c9aaa6bf

SHA256
663b31dc8d74d78d225e141b1ca33b4a078a6e344098cbc3d118ca705d86cdf9

SHA512
51de88a7241609c7a08d6186214e392b942b26edf3e72f1f3f74840761abb9ac084d45271bae303a413a5e40f0e6bb9202d534d68b834d9c1c9a33188c4e97dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
344bc4aa38bd06c648cbcc1da3d9688d

SHA1
0ddca5b45d5a1824d41c0f784d67498a45f403dc

SHA256
f1a0ae2cb8ba947f06a7953d977cc16661b242de8d9c3774fb1746a1466eaf62

SHA512
02f905fe533ebb4c6a88e629a1e7edcd5a00cd29af2594f6f2f13f1ef105a695c7a5a6d78de63bc2de9d2506d54c1d445fe740b2bc31972ab04bf117b63f3805

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
c568a8f04106f77e991917ad7502ec99

SHA1
c769d101c494259850abcb23f7910cf73a411f77

SHA256
7f793f277ef053ae035b7c322820f7d169f54252bb896ebc8ca99b31e9ba16fa

SHA512
bb920af6dd1a1f6583565454e84617231e71f8023e0904abeff365301fb01faa0db8b76e11842ed4c75c619e3bfc21ba99e56c4157bc1ab26a39712174970fc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
f8b97f0f5bd586b48b7fd1858bfeaa6e

SHA1
0e3dd06eab28aa9a5f12331db2ae9f82b02c3f69

SHA256
a41107fe6b274f2e98a1ec658b73063b452d0670ec133a5b0a5892fd0f91831d

SHA512
49cadc663e9361ef70baed9eed88150f575c81d7ef97c7873e95c756e500120aa137d35dfeab5d00c3f8b7324220819ce88bcbf03ac1dc3300772906d673af67

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
f21f68cb96d43ecadb6c0ce3e4834af9

SHA1
c90d7e41b405f764eb7b3f8fe0a0a145d5ea5553

SHA256
59091ec65db4afda643adeeef1db665fb55bf6c80f53701d0e2c8ce912442b3c

SHA512
d8787da8e4d194715f784572386bc3d015593466d5caa4479c6ebdb865fe263388cf105c97d170687a74b6226a4fdaa6a51a342c2ebd015e112ed9ab57a00465

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.5MB

MD5
ca4d1cb0b09e5954108108905b2744b1

SHA1
0f603f04136b32d481451055ebd605e9c82828e3

SHA256
f0740972cea2dd16231076ceeb7dd8b0178d2c6795ce04cc973f1d22be5e750e

SHA512
57e42a281ca93cc3a998398c531987eefe30e5b86bf41c8216f919f90df4d65cb5fc7b362de2e5369c5e67edc7acde8e6bf8f7ee43f291a2f8d31354b39c6393

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
d7a9e739333bac3d74b0d92a22ef6fdb

SHA1
d67c2c41464432fe973b5ec94793bebf2ac05ce3

SHA256
3b38d3f45f9e8e6cc200fe04b8df853e094bb2d270dc834dd5373163fd2a2cb6

SHA512
b973a5dc36042043ba722ad8baed220d6fe13b8676c23b1cfef62eca8e512ed45ca17b9b50b08d1ec92788f13072a1fe8a5527c15985324fb9f94fdfab908370

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\176f10bc78a61a12.bin
Filesize
12KB

MD5
99d5bec2b54feade7b899905728269c2

SHA1
5634f37b6a9dca4b15f7df992b23bd9d0b248839

SHA256
7f744ccff90cef5ee98b752d865deb4c9a3db154308797ae1982356a97dba04e

SHA512
b17494f1f0fc6b8f8192f94a9807fd3c45fdb187b26ea6a2b16fe77a10de3557ce2a1191fecd7891daef9ff2fe18f41fe623259dea3e7afb9b2e4dad4780ec97

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
a078401fd1438ad82d9f4dfe7e08e0d9

SHA1
01bd252855ea5a2052ee3821822ce45c34e7889e

SHA256
e2579bf768a4baf6bef9ff0c1747a27d985b2ac8a0efc6dd3ae8003ba7f65a14

SHA512
0f652df23979d48b23b22bf907bd02dd2bf29608ea55449e87d3f874a24782bd9144b7e9c87e42f23d9fbf971d02df3184de500ff4c343c165449065c616fa15

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
07dcd83db89c4a2895d30850fe1ae3d8

SHA1
da8d00b2ede9fbd460c5ba61564bfb9fbf412896

SHA256
8bd88932c0ab2e4401221c336c1032aa3bfe5da0f5f4549c2165063e2134f96e

SHA512
6445b36ed4f0b8ffe204c0b079384074131699382e414a2e1ef0ec2970d1134acc405c1a2beb1cadf566dfb3002a172e40e3a51b765d572c7fb7730d35773ff1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.1MB

MD5
e3ce61d87d2c64d5941ffe190a0d3dac

SHA1
c631433c925761ae463181cd4d858ad256814d60

SHA256
eb5c70810b9b09be051762f4fb5ec27806cb499d185d96cd94d4c9c4c8238aa2

SHA512
1c6b937d58aec17dcef159a25c959532d9d28a65252397532e9b541edd51821309dc09fd7d0af540e6db8e91770b77faa968fc09d863e15e174bd70b8229634b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.1MB

MD5
87c33da5715c7a6803629f1770642995

SHA1
fcf9448b83766515409449049db5f519775ce7c7

SHA256
00b86808f99fdbd97a09c984abf795585b29cac567197d47a3dd1172f14d7d7f

SHA512
7785269e0a932d978e722ea92027aad94b50500f94bdec25477ff8662ac476b166a29511962583383f3c478ac7323abeba9129332986b22107a3b9c15e51beac

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.9MB

MD5
52b617658c36d7dd08973c2d37fda24d

SHA1
d5e22bc4f7895f6ea21af5eb95784d2b59a6436f

SHA256
55c2e12e3b115d76c8534b6f5863c9ef60823ebf40b3b465162cc4ea250a10d4

SHA512
dc2bb87dd88c513a2a6a95c58dfedac275b222c69f89874c68ecd7ac2adacd5b7c1871347286c16d316b6355df72f67f976375a70b6ddf2ddf720be9960d10d9

Download Submit
C:\Windows\Temp\Cab92BE.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar935C.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\60e9f3c62fe901f919837f2ebecdcb9a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
8564efc4b878933a479531b647ed8892

SHA1
d0bf375568b2408a627adeecd7086f8ec9205409

SHA256
6ce73ed9160389ec125a8675a2b7b51643c4904f15ab15912c89216d2e44d80a

SHA512
81a92821b2c2835f3356681c8a7066d749a1b7f47446c205b25f251096fff1437b498944c80324031622e8a40ad26336bd38f5de6501ca4e992c6e87f9e28d8c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7783cc8b52cff32d4df66be2841082ba\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
08d9efd84c6ca8d5ce73fe2fb1866c44

SHA1
6a315b2b9438b0b5a3e1b0fbeac48a0ab5521393

SHA256
875da9899a8c6b2ad0752bbe374998488e5606c1f083abcb7a8b4b974f223b2a

SHA512
0e5bc59ca6b90ebb471577a73bf32eb3d43f000873a3111dc4f8a81272f3811486a2b7b91570766ba5febffd6f93dfe5b5c0da0929d4225c59299cc8e946bf42

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d25889be8d9c23d1e2ff9f911d398685\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
424c1d18a274fce24a7c73955609347b

SHA1
192a243e01ce4610e04a3dca939ef3c3c010a1cd

SHA256
9b2d8c0a799b159a98e8d8e75f7b5623a8646833477fca227beaed0093a3b4f4

SHA512
91209500ac24c092eb208921a7c8b92e6d692bc7f864ce2ff9730a4d7f19b0441b1c34ca6f1f7b9d2d9766979d5fc096629e090963dae04c1dabe35dcdec5b9c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ebdbfd6b59e40b9e418522415f2c9c07\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
a87aaf5b1f9789a3368594c4e3b52853

SHA1
c6832a32867dd66be4478087dc96f1d6e6f57951

SHA256
d8401c4c75e6c364a3aaa14fea9aa4e95b507a0b044ae07979ab0dcb67213eb6

SHA512
73fe617b5046862dca443b4053ba3554a40c463d5b378850bf19e7afff28d8b834cd7e6148fb456b68f74e3a02cbba8c52b1ca21ca4c4100c62f3082c0b6c8bd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0817dd144bd1703a16af65cf81ef80e6\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
Filesize
759KB

MD5
37c49cf471f7ad881127f9e38bed1a10

SHA1
473c3a7a28d138ccfff0d971a1ce9360ab990aba

SHA256
9ef88d67461f4d91de1e16fab938d5561db9d04898d8776f9e716fdd52f91369

SHA512
e88e5b3b41b5763ed7de4d3ef40ec77144252c30d8d67f5b387b905026bd856e9d70889ccf9f78b0c0a7b0298ca8afdbaed133675001dc60593c6fbc31e93c47

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll
Filesize
227KB

MD5
4ec89a4e8fe1b5b9916ace8dbabc0418

SHA1
dafec0baada7f2fa425978a5816fe852053fb1fc

SHA256
6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0

SHA512
648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2f0c848c55e8a810996654f4343ed055\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
221KB

MD5
d970836f656f0933f0ccc4ce91ccda7f

SHA1
2938d746f3d3a734cb713f33228cb476946ee304

SHA256
dcc013ef333aff5d3a9f20458817ecfda51b0595646da15fa6aefc448ae770a4

SHA512
c9368e2270550d1d384f3dc1c3d7aea5a2353a6319ec55aedf2009e64a499704dbe6ce9b2d5242f671df135e8f268d3e97978eae828aa203a889268669465dc1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
Filesize
221KB

MD5
78c5a493778f578ef5517fe161162819

SHA1
faf377bdc739623fb5f111d51af97e8c78f11525

SHA256
aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93

SHA512
6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
Filesize
381KB

MD5
0811b25e0449e04f782127bc6f8ac5e3

SHA1
dc1766e20ee338b12fa80e3ce0052ef97ddf9e20

SHA256
20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c

SHA512
a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
Filesize
947KB

MD5
b1aa17d171be82960213057ca35815a9

SHA1
6c68a8a2c524ddbe04395dfa613378bb311aa314

SHA256
c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e

SHA512
6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74539112b90e5f9754a8c4559311d73c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
271KB

MD5
7c6f82ca41cf3dd831b22835c4fb3990

SHA1
40f99890a73699a791d26963623daf2622083de8

SHA256
67ba328ed7771ef242e704b1cc9a77609990d0e52c94aaabd2cae00bf5af791a

SHA512
dcf74be857d3d21b88a0db64fd422da1bcd191344aa6b0a55e3413ebad60dc820c014b2a6fdd2d581cded31bd2ccb30a81a55fc3a872eda7e4dccaa95b6b02a7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
Filesize
483KB

MD5
aae5a97685a809d0a0f661f9319f8a12

SHA1
b5fdd4ec4cc057fccc868de4f4910be89e23e48a

SHA256
c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

SHA512
d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
Filesize
436KB

MD5
748bed51a810c033b91c660b5776ab95

SHA1
ec2616fb01949fb9fe4b0eea707f7095b69aa9e4

SHA256
45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7

SHA512
dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b22777deb45f6aeebf6bc7753dd76eea\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
Filesize
220KB

MD5
5c35887a0b76108f6fb6daac51256ef5

SHA1
3be6ece2f60d205bcb955a5da0aa182d83cc1899

SHA256
9f8de356dab305f2be5cf1f75934eb6b87072e1745ab5ee73ab4b319bb9a2b5a

SHA512
0d1d2e5dd3ec776fab85e8f3b8cde32718bbbb52463c2702a17336326570a2fd624b0e32fd98182bba8c25fdd57ba861edebc1f00cfa66c04ec1c8a6f10fcee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c05938e3a47277d9127138fc344b479c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
305KB

MD5
5ca8e6ec143e7d11fe592a038024bcb4

SHA1
d54d60836408b6ce734d19505922b18dfd310034

SHA256
18a69045d75d3ea6de97d1adcf6261e10a52298952434ad6e46b0fc813be18b4

SHA512
ff1d05c64ec84dc9d99c23c5b10a0c485e615371fa0147e06ed629f1508e2bb32ab159298fd9862705311fca6811fbc599c09e8131962d7f30bd87bd4585fd7b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d0876aa908764a063670e7e59284635b\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
122KB

MD5
a4dac2a8e4743455b30df95ef19b753a

SHA1
088cf50a2ad1bdc593bc0f6357270fc10fdf891f

SHA256
db7053aea815d01a8fa2bdd86a9d17b3514962bd2670931a2d2aa52332fe4d89

SHA512
d376b486a863a71094d282256bfb66502b4993dc54f3052f5a5b1fe9707e4f3e5cad605a123583adebad3fad33fa9158cf2f8235676f6590a7b5234053c5301e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
Filesize
487KB

MD5
aefa28d036740086ae52d157f245200a

SHA1
d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55

SHA256
75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49

SHA512
3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
1.2MB

MD5
96a432cad9546a396ea2ed5d6601a599

SHA1
8ab4e1bd5d74b061c3492a2d032b500d720c8a5e

SHA256
1ddc1f9e123c24a502fa05e647a1eb5bdc8f43aa5d9657cd5ad608b72a308fcd

SHA512
63702528d4d28361eaf7afc31bf86231f478c2a6647d2e4e58140b1add43ee83534de68b20a3d62473df8d392354118427ac66ba6b1da2f063456ba2ad70d710

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.5MB

MD5
9e5aadb9e2f3fbd318261be81d93deec

SHA1
068ddd692ef988bda3a0a194b982c43138e3ee37

SHA256
b0cc671e70ef9b6fbf6c70e051e5936e16d87f31988c9b68602e358546b92ed7

SHA512
c037d1b5a387df4fd7866b1687fbfc18dd37698a417a6afe7beebd44ed2f2802a3fc2fff0b3324c4068cb919c49a9dd126afac16ea5a289119d9dc3bae077803

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.5MB

MD5
43a79abfe4515426660e8d903505b71b

SHA1
540fb32e64d1b80831d54f9743b46525619cb197

SHA256
db93ada2de995d72572ef0b5dc71a19befb12efdaaa35765d36944ec33d3c593

SHA512
494fff6437368771ee373e13df55fea0f50d2db0239e22db871ad259a4db85ee4de689bf21f4b16e0367f172f57eeb577a1a9ab37761e3613b7d6c7eedb56070

Download Submit
\Windows\System32\alg.exe
Filesize
1.5MB

MD5
e233caa3e992e46c026f3cfe3ca5aad7

SHA1
b89288e6f58a3253d7529239329937e820d4b760

SHA256
193faa7828acbc6feec7ebda339d75a5448011d9a8ad0b6d3aacff29397d6ec9

SHA512
c5c6aa0f6149f9e526020c516c6aa7a2d4c2afcf13648465c6d827e3cb356f46999678b3990bc8329e05a1b6bdad4f458676453aaba9e57d738d270bf1e7ad75

Download Submit
\Windows\System32\dllhost.exe
Filesize
1.4MB

MD5
1ce45ffbdd1f0833d6b6f2662c0c9798

SHA1
70c4c755160e678baf1119f3c74e9b988fcb2807

SHA256
4aaabd11020574d72980c84449365fe21145e72f87013dd325b24a7cb2edb647

SHA512
2ab8fa205964df075473cc7d58b66753ad8c54d9694fd3b23b1209b9acad2fe5f38dca2b601181c998d27f54e70c4cad9df0170947e494b2ae8d84d09b1d12f8

Download Submit
\Windows\System32\ieetwcollector.exe
Filesize
1.5MB

MD5
cb1ac6ce8caa8fd80e85c72fb3172900

SHA1
a700ba24ec6edf1f6fc25f661b41f5c277969f43

SHA256
fdf4292c9bfdec52bfae9a0d444b11cf6a0f2a67b9506b4d0d9313de37918d19

SHA512
60025a63fba2c20661eadf9d943745843519903db8422f66eeea5885b54fb2dd85c12ff3ea9aac68d6c8894b8727e47b7f7c632a4aa9f9d4f60a69ce2b02f9a7

Download Submit
\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
9e2738954db7764e218ebcbe960d2f7c

SHA1
d3dd750abc695d49121773794813f86f2fdb81c8

SHA256
4bc8d38bc06103661598a78cd8e3d5fecd4a6a5c212a7e28e23e778c412904b5

SHA512
1ca51fe41492a3a397fd3f5cd63d2426c9a226f660ac22fd3a5d960b41e01ed0bb8e528a3038fdf371dd007a6f3447b705df5b1685fc6d9c4d7372447f6618c2

Download Submit
\Windows\System32\msiexec.exe
Filesize
1.5MB

MD5
41502b7a2e6fc5e5633d6e19c896a546

SHA1
af991451a7ffce52df253b5d40de59bf4adcf3e0

SHA256
44c6651ea4ddb7bc192e021235d7b3330b945a228ea1d2e64b9db531eee538cb

SHA512
4315290247c31ea0fb76a3de8f1be81da167f9943f6d217dd28daedb0632dff39da91e52c206a57b415d508a78bc9359c97f2b6f4f01695beee85afca1caf557

Download Submit
\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
32fd9aa3940e49919f0b9d4e67326fcd

SHA1
e05485b34074c0953ff62d3a3b6f903c5dfa3a7b

SHA256
837d88b135cb80706397266fdd66c3302f7a7f2189c79e98014b15f7573ddd65

SHA512
2ac5a99ef7c5dd99ac40fb9f38164d1557c4c1eab77c3b576c1bd437e1bab90ec52f8b88d983d2c3ff64139436010bb59f3d0b2af128486d3c429354a96e02ab

Download Submit
\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
f88f6a89b9edb557a7528232bef43386

SHA1
bf5e59c6c707bcf0c5be928fb413430058c07f90

SHA256
47ed0ee41a20c2e43fa34aee52f258e7af509c7e57cc2283c6d17595ae2243d4

SHA512
2706b3ae09575bafbf975f602dc6e9a2317a71283a48a73ca53fd99725398a7f9e84151f54c3efff4a4140e1583e62f198c1551d944f97e40e6c95750889ec30

Download Submit
\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
2c6fe3d87a56f6daa29a342c9c41e425

SHA1
ab5c1a11257274225ede65dced30bdc8dd5e10ad

SHA256
697f20159116099330b8110314712fd2c4faed86ff8ea49753427e86e9b79003

SHA512
ae728248a7e727976e43881b9ba50cc7a959c301744d6710bc15fb2e4d58273d640187b552d6fdbecc9701945199d06f06d5917bcc7ff99b7cc66a054b8ff8cd

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
9685217e6d6b8f6a2881830836ba6299

SHA1
cb15af8f262257dda731160298fcd1392d621a37

SHA256
c6dc5ded3b25588bbc512e1e1c0f4203e48c89c100d18017e6a4efdb4fc68600

SHA512
7f9d643b74a58a55b391a821db267bf23f095a69b5e53aae723a7bc0ead13cd67c180e3f1b5c8e91c385d4890ebf0ec23152459a1947dbb016b090e48c445b46

Download Submit
\Windows\ehome\ehsched.exe
Filesize
1.6MB

MD5
1e1f44aae12053624def5d3ed4e61bd1

SHA1
dfa03d8d778680c5b4e01441859d5e58f1ec9f4d

SHA256
93dfc681d5ed2cbd2bc951fcddf0262407875f6d1ece286e46aa26431a1df60b

SHA512
2c508e43059f2a0e4e32cf3478485156a151e79ef0ea26a4894b7bb9ff016eab95582061c8d7e1ddcdd71174c452cd5733cde4b4e5404abab30f87b826a89de2

Download Submit
memory/320-724-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/320-748-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/452-183-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/452-262-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/452-961-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/580-1043-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/580-1038-0x0000000001890000-0x000000000189E000-memory.dmp

Filesize
56KB

Download
memory/580-1039-0x000000001ACB0000-0x000000001ACBC000-memory.dmp

Filesize
48KB

Download
memory/580-1040-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/580-1041-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/580-1044-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/688-1024-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/688-1023-0x000000001A950000-0x000000001A95E000-memory.dmp

Filesize
56KB

Download
memory/688-1025-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/688-1026-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/764-591-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/764-565-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1228-155-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1228-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1228-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1228-533-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1348-206-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1348-191-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1348-186-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1348-269-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1352-674-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1352-658-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1392-812-0x0000000003D40000-0x0000000003DFA000-memory.dmp

Filesize
744KB

Download
memory/1456-665-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1456-692-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1480-537-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1480-715-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/1540-758-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1540-768-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1608-167-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1608-151-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1608-143-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1608-149-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/1608-968-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1608-233-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1608-166-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1620-179-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1620-176-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1620-170-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1620-257-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1668-279-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/1668-664-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/1808-214-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1808-197-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1808-203-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1808-207-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1928-697-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1928-297-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1932-135-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1988-274-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1988-657-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2016-124-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2016-118-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2016-221-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2056-278-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2056-211-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2176-219-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2176-222-0x00000000005D0000-0x0000000000762000-memory.dmp

Filesize
1.6MB

Download
memory/2176-283-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2176-296-0x00000000005D0000-0x0000000000762000-memory.dmp

Filesize
1.6MB

Download
memory/2184-688-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2184-704-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2204-703-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2204-720-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2216-294-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2216-687-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2236-182-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2236-20-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2256-923-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2256-156-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2256-253-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2256-164-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2256-162-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2364-643-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2364-628-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2404-789-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2456-259-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2472-254-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2472-585-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/2540-230-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2564-598-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2564-589-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-716-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2612-723-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2656-743-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2656-759-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2668-606-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2668-632-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2672-641-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2672-661-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2680-271-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2680-627-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2684-272-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/2756-51-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2756-193-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2764-106-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2764-132-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2772-1062-0x0000000000E40000-0x0000000000E58000-memory.dmp

Filesize
96KB

Download
memory/2816-242-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2816-564-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2892-270-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2900-114-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2900-96-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2900-89-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2900-88-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download