9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f

Analysis

max time kernel
140s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
Size

1.8MB
MD5

9768081c0b034110046ae247efbb609f
SHA1

16bdd6a4bbc4325fa1f101ea07d5d6fb9acfd736
SHA256

9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f
SHA512

996f861e1b5fd253fa6ad2aed42a43ac2a0017e130d52635289f2c29acbddb32998a23c292e1dbe86d1201006d011d8228426187e03edd6faafe0411bd37c1f4
SSDEEP

49152:wKJ0WR7AFPyyiSruXKpk3WFDL9zxnSz/snji6attJM:wKlBAFPydSS6W6X9lnYEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2644	alg.exe
2872	aspnet_state.exe
884	mscorsvw.exe
2584	mscorsvw.exe
1840	mscorsvw.exe
2320	mscorsvw.exe
764	ehRecvr.exe
2972	ehsched.exe
2072	elevation_service.exe
2000	IEEtwCollector.exe
2100	dllhost.exe
2524	maintenanceservice.exe
2360	OSE.EXE
1072	OSPPSVC.EXE
476	mscorsvw.exe
1432	mscorsvw.exe
2236	mscorsvw.exe
2868	mscorsvw.exe
2764	mscorsvw.exe
1692	mscorsvw.exe
596	mscorsvw.exe
1672	mscorsvw.exe
2084	mscorsvw.exe
2176	mscorsvw.exe
2796	mscorsvw.exe
2524	mscorsvw.exe
1388	mscorsvw.exe
2352	mscorsvw.exe
1932	mscorsvw.exe
1956	mscorsvw.exe
1676	mscorsvw.exe
2028	mscorsvw.exe
2264	mscorsvw.exe
3044	mscorsvw.exe
2636	mscorsvw.exe
1652	mscorsvw.exe
2572	mscorsvw.exe
1536	mscorsvw.exe
2816	mscorsvw.exe
2488	mscorsvw.exe
1728	mscorsvw.exe
2560	mscorsvw.exe
1924	mscorsvw.exe
956	mscorsvw.exe
1088	mscorsvw.exe
540	mscorsvw.exe
2864	mscorsvw.exe
1900	mscorsvw.exe
2180	mscorsvw.exe
960	mscorsvw.exe
1756	mscorsvw.exe
2264	mscorsvw.exe
2636	mscorsvw.exe
2412	mscorsvw.exe
884	mscorsvw.exe
1920	mscorsvw.exe
2816	mscorsvw.exe
1224	mscorsvw.exe
596	mscorsvw.exe
2788	mscorsvw.exe
1632	mscorsvw.exe
1144	mscorsvw.exe
960	mscorsvw.exe

Loads dropped DLL 48 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
956	mscorsvw.exe
956	mscorsvw.exe
540	mscorsvw.exe
540	mscorsvw.exe
1900	mscorsvw.exe
1900	mscorsvw.exe
960	mscorsvw.exe
960	mscorsvw.exe
2264	mscorsvw.exe
2264	mscorsvw.exe
2412	mscorsvw.exe
2412	mscorsvw.exe
1920	mscorsvw.exe
1920	mscorsvw.exe
1224	mscorsvw.exe
1224	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
1144	mscorsvw.exe
1144	mscorsvw.exe
1968	mscorsvw.exe
1968	mscorsvw.exe
2748	mscorsvw.exe
2748	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
1432	mscorsvw.exe
1432	mscorsvw.exe
2864	mscorsvw.exe
2864	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
2292	mscorsvw.exe
2292	mscorsvw.exe
1824	mscorsvw.exe
1824	mscorsvw.exe
1364	mscorsvw.exe
1364	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
908	mscorsvw.exe
908	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f58803feae4ef42b.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\GoogleCrashHandler.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_zh-CN.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_uk.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_hr.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_ca.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_lv.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\psmachine.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_ta.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_zh-TW.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_ja.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_sv.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9740.tmp\goopdateres_bn.dll	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73C9.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP45A8.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4A1A.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5EF2.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP71E5.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5918.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAEB6.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP620D.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA94A.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{75C93AC4-96D3-4233-9AFB-9A30E0EE1EEB}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4EDB.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP63C2.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1616	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1688	9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: 33	2064	EhTray.exe
Token: SeIncBasePriorityPrivilege	2064	EhTray.exe
Token: SeDebugPrivilege	1616	ehRec.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: 33	2064	EhTray.exe
Token: SeIncBasePriorityPrivilege	2064	EhTray.exe
Token: SeDebugPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeDebugPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	1840	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2064	EhTray.exe
2064	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2064	EhTray.exe
2064	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 476	1840	mscorsvw.exe	44
PID 1840 wrote to memory of 476	1840	mscorsvw.exe	44
PID 1840 wrote to memory of 476	1840	mscorsvw.exe	44
PID 1840 wrote to memory of 476	1840	mscorsvw.exe	44
PID 1840 wrote to memory of 1432	1840	mscorsvw.exe	45
PID 1840 wrote to memory of 1432	1840	mscorsvw.exe	45
PID 1840 wrote to memory of 1432	1840	mscorsvw.exe	45
PID 1840 wrote to memory of 1432	1840	mscorsvw.exe	45
PID 1840 wrote to memory of 2236	1840	mscorsvw.exe	46
PID 1840 wrote to memory of 2236	1840	mscorsvw.exe	46
PID 1840 wrote to memory of 2236	1840	mscorsvw.exe	46
PID 1840 wrote to memory of 2236	1840	mscorsvw.exe	46
PID 1840 wrote to memory of 2868	1840	mscorsvw.exe	47
PID 1840 wrote to memory of 2868	1840	mscorsvw.exe	47
PID 1840 wrote to memory of 2868	1840	mscorsvw.exe	47
PID 1840 wrote to memory of 2868	1840	mscorsvw.exe	47
PID 1840 wrote to memory of 2764	1840	mscorsvw.exe	48
PID 1840 wrote to memory of 2764	1840	mscorsvw.exe	48
PID 1840 wrote to memory of 2764	1840	mscorsvw.exe	48
PID 1840 wrote to memory of 2764	1840	mscorsvw.exe	48
PID 1840 wrote to memory of 1692	1840	mscorsvw.exe	49
PID 1840 wrote to memory of 1692	1840	mscorsvw.exe	49
PID 1840 wrote to memory of 1692	1840	mscorsvw.exe	49
PID 1840 wrote to memory of 1692	1840	mscorsvw.exe	49
PID 1840 wrote to memory of 596	1840	mscorsvw.exe	50
PID 1840 wrote to memory of 596	1840	mscorsvw.exe	50
PID 1840 wrote to memory of 596	1840	mscorsvw.exe	50
PID 1840 wrote to memory of 596	1840	mscorsvw.exe	50
PID 1840 wrote to memory of 1672	1840	mscorsvw.exe	51
PID 1840 wrote to memory of 1672	1840	mscorsvw.exe	51
PID 1840 wrote to memory of 1672	1840	mscorsvw.exe	51
PID 1840 wrote to memory of 1672	1840	mscorsvw.exe	51
PID 1840 wrote to memory of 2084	1840	mscorsvw.exe	52
PID 1840 wrote to memory of 2084	1840	mscorsvw.exe	52
PID 1840 wrote to memory of 2084	1840	mscorsvw.exe	52
PID 1840 wrote to memory of 2084	1840	mscorsvw.exe	52
PID 1840 wrote to memory of 2176	1840	mscorsvw.exe	53
PID 1840 wrote to memory of 2176	1840	mscorsvw.exe	53
PID 1840 wrote to memory of 2176	1840	mscorsvw.exe	53
PID 1840 wrote to memory of 2176	1840	mscorsvw.exe	53
PID 1840 wrote to memory of 2796	1840	mscorsvw.exe	56
PID 1840 wrote to memory of 2796	1840	mscorsvw.exe	56
PID 1840 wrote to memory of 2796	1840	mscorsvw.exe	56
PID 1840 wrote to memory of 2796	1840	mscorsvw.exe	56
PID 1840 wrote to memory of 2524	1840	mscorsvw.exe	57
PID 1840 wrote to memory of 2524	1840	mscorsvw.exe	57
PID 1840 wrote to memory of 2524	1840	mscorsvw.exe	57
PID 1840 wrote to memory of 2524	1840	mscorsvw.exe	57
PID 1840 wrote to memory of 1388	1840	mscorsvw.exe	58
PID 1840 wrote to memory of 1388	1840	mscorsvw.exe	58
PID 1840 wrote to memory of 1388	1840	mscorsvw.exe	58
PID 1840 wrote to memory of 1388	1840	mscorsvw.exe	58
PID 1840 wrote to memory of 2352	1840	mscorsvw.exe	59
PID 1840 wrote to memory of 2352	1840	mscorsvw.exe	59
PID 1840 wrote to memory of 2352	1840	mscorsvw.exe	59
PID 1840 wrote to memory of 2352	1840	mscorsvw.exe	59
PID 1840 wrote to memory of 1932	1840	mscorsvw.exe	60
PID 1840 wrote to memory of 1932	1840	mscorsvw.exe	60
PID 1840 wrote to memory of 1932	1840	mscorsvw.exe	60
PID 1840 wrote to memory of 1932	1840	mscorsvw.exe	60
PID 1840 wrote to memory of 1956	1840	mscorsvw.exe	61
PID 1840 wrote to memory of 1956	1840	mscorsvw.exe	61
PID 1840 wrote to memory of 1956	1840	mscorsvw.exe	61
PID 1840 wrote to memory of 1956	1840	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe
"C:\Users\Admin\AppData\Local\Temp\9911da3a890e72c7cfc065de8bd71d689b059d3b4dbd8bf06fad5ce14771174f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:884

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 234 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 264 -NGENProcess 260 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1f8 -NGENProcess 1ec -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 20c -NGENProcess 264 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 2cc -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2cc -NGENProcess 22c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 26c -NGENProcess 2fc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 26c -NGENProcess 2cc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 30c -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 288 -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 274 -NGENProcess 288 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 34c -NGENProcess 33c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 340 -NGENProcess 354 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 34c -NGENProcess 370 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 35c -NGENProcess 364 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 370 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 380 -NGENProcess 364 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a4 -NGENProcess 258 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2f4 -NGENProcess 278 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 258 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2dc -NGENProcess 278 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 278 -NGENProcess 2e0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1c0 -NGENProcess 2dc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b4 -NGENProcess 234 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 184 -NGENProcess 2dc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2a8 -NGENProcess 234 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2dc -NGENProcess 1f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 31c -NGENProcess 21c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2a8 -NGENProcess 384 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c0 -NGENProcess 21c -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 238 -NGENProcess 370 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2c4 -NGENProcess 21c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 378 -NGENProcess 380 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 1f8 -NGENProcess 21c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2c4 -NGENProcess 378 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 34c -NGENProcess 364 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 388 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 36c -NGENProcess 364 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 364 -NGENProcess 274 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 390 -NGENProcess 388 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 364 -NGENProcess 390 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 39c -NGENProcess 24c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 24c -NGENProcess 388 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 3a8 -NGENProcess 250 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 39c -NGENProcess 3b0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 250 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 39c -NGENProcess 3a8 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 1c0 -NGENProcess 3b4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 3b4 -NGENProcess 390 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c0 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 1c0 -NGENProcess 3c8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 3b8 -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3b8 -NGENProcess 1c0 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 1c0 -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 388 -NGENProcess 3b0 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3b0 -NGENProcess 3b8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3c8 -NGENProcess 3e0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3a8 -NGENProcess 3b8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3e4 -NGENProcess 3b0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3e0 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3b8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3b0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3e0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3b8 -NGENProcess 3ec -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3e4 -NGENProcess 3fc -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f8 -NGENProcess 40c -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 408 -NGENProcess 378 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 408 -NGENProcess 364 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 3ec -NGENProcess 3d8 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 41c -NGENProcess 424 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 42c -NGENProcess 420 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 378 -NGENProcess 444 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 43c -NGENProcess 420 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 430 -NGENProcess 440 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 418 -NGENProcess 378 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 45c -NGENProcess 448 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 460 -NGENProcess 45c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 46c -NGENProcess 378 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 460 -NGENProcess 470 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 46c -NGENProcess 484 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 450 -NGENProcess 44c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 2c8 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 44c -NGENProcess 2c8 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 44c -NGENProcess 48c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 2c8 -NGENProcess 4a0 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4a4 -NGENProcess 48c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4b8 -NGENProcess 47c -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4bc -NGENProcess 370 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 498 -NGENProcess 46c -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 4b8 -NGENProcess 4c0 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 488 -NGENProcess 4c8 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4b0 -NGENProcess 4c8 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4e0 -NGENProcess 47c -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 488 -NGENProcess 4c8 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4f0 -NGENProcess 4e4 -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4cc -NGENProcess 4fc -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4f8 -NGENProcess 4ec -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 504 -NGENProcess 4cc -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 46c -NGENProcess 4ec -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4ec -NGENProcess 50c -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 2d4 -NGENProcess 204 -Pipe 528 -Comment "NGen Worker Process"
  2⤵
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 514 -NGENProcess 488 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 508 -NGENProcess 204 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 518 -NGENProcess 51c -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 548 -NGENProcess 538 -Pipe 544 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 548 -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 554 -NGENProcess 520 -Pipe 550 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 540 -NGENProcess 554 -Pipe 538 -Comment "NGen Worker Process"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 560 -NGENProcess 54c -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 548 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 554 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 568 -NGENProcess 564 -Pipe 54c -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 570 -NGENProcess 554 -Pipe 574 -Comment "NGen Worker Process"
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 520 -NGENProcess 558 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 578 -NGENProcess 564 -Pipe 548 -Comment "NGen Worker Process"
  2⤵
  PID:368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 554 -Pipe 540 -Comment "NGen Worker Process"
  2⤵
  PID:2368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:764

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2360

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
5f06e7c07f02a82c4da18da565eb0d9d

SHA1
0e29846dc240d9f6b32bd3232c0f483b6a52da27

SHA256
f935b3a9d9a9e05c76cbbf266e3e492c9836c2e6b95560275ddf5944fb074cce

SHA512
e808a291b1575d629985be7e81d033395f58c3f29115aef023db8235bc53be4cf61ad25c8a3491dde56f76cee94092e0cc003fd6e2bd071b9ec1e33a56bdce17

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
3e9dbf22b3eff786d0ec87866a6a7862

SHA1
c4390ce98e9c07383de4c048d76f65272ec983a5

SHA256
b139bcf406791cc1c52c1dc53ed17f97e81136f85a149f734f8ce4c993882fa6

SHA512
5b8dfaea951b66f2baf4b63dd0e43eb9a5fcf373420d7e09ae9de023d126747f6f03c03c8c2a815b566121507795719501ee6e623e76f194c3d6dd27188063f1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
78bc0e4c4cd291bf1c529a8f91984037

SHA1
8410eea7295718054a3f20788e759d4b8df6c6e8

SHA256
8a31ecb473a6048ec63ce71f645b0265b1f63e3cd1542fd0b92d237f943955ad

SHA512
d91b7e8c0656316695b54ebf96b3b239aebedb4816e9e6f65a04b7d8180d686f0eb01d5126f7eff22c9929c452242b43ff675eac932d931de3f5020bf34d908f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
6fcc6257c4b5d67430bbc230d0b07703

SHA1
a30ebc4e39f48135b69305301216d81a4269af4e

SHA256
ef6f0e55cfab92f220da094efd62a2ed22ba4a6fda636acbb251672be5e083a8

SHA512
fc3c71cf92c06bce1736ca13f974d7f25cdaa650b46371a7d1a2a5f8fe892a3eb7e6e5b7086f513eca9cf135ddb6498bbb0bf0a953942b57f1daed06ea7633aa

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
b26bfeb30cd39c404c9024396b2d44cc

SHA1
e293abf799f93efb37e9220bfe3e85e18837abff

SHA256
20eb459bffd71c6ef18522baf9370bccc552255f3bd5d5f03d5e550d3c9ef66a

SHA512
318174b585a244db1145f63df86c7b77d306c64d896bf13081b91af8e39d941d9f763ea4a8d3526ffd5bf425062059e53bc12d76574b73b0d068474d8494e6bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6085bf7ccdcafc582e7c4ff1e50deaaa

SHA1
7f5570fcd391b454fb396ed1031946b14a7558eb

SHA256
95f853af3e6faa6f3e289d3fd56c140e626dc4563d8d044cddfabaf88739f494

SHA512
0cba711447025c8216178b169ad9c8f453d69b7c6a37f5deaec17289b4564792317d7d64e98a03b297f12fc48361b679a89a8582452d8bf686dd1fc5beb5ce36

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
441ce36926dcfa78c63bb955284fd2f8

SHA1
28095c88bacc7703b22c940f467f03f059a4aa52

SHA256
5ca6b10305cd47ec3be19a025040453a69541ce574c2587f1b52ecc32e3f2735

SHA512
66a4884caf1d1e939d98c44b1b1ded9c7565d09d5e5f442c9e755d3b9807812667cca56762d637451a744233ee56668e458c236b570c540fb152e8e8cbaf04c9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f674645041eb4ca903a1a8f66ec59bcc

SHA1
b4b53f5ed9a510798785130cda7cde5b53e4c855

SHA256
4f7a3a2ca92b4a4054ea011a3ad37d857e567d1cbc9a16a75704392b0e3b71b1

SHA512
dbd7c5777ab342fc2acaef01be5268d543b22839b6f8247fcb9fb605bfd5f7e126ca1bbf37705ce32c28da1c22ffef3334cb254e08dc63cf79cac6f9dc803845

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8008b5f3707980d3281b1fdf2cf5d007

SHA1
6bd984f1e91de3fdb6257e62c043587b2a3c2893

SHA256
54255354b5f011dffa6f4238bf25916446dfab266552b146b46a6b2b72f2ac79

SHA512
fc9889ee9bc63144259a5794af5ba42d6573e4c581ddd0897d3d349a76055ed4c61b67f64b8fa242282cd9df18bbb8f7457d3fd68f9f12b8fe99fbaf4a7a9858

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
979f910a692b7e68e191d6e3ffd27339

SHA1
605df2386e72c40c6997ef440f313e67c78877c9

SHA256
6f563fb9718dc3b6e0f72b060c17c0dbab27228265ebe81cfb9888bc34595c16

SHA512
81a29967b3e7f5ca0180c848c22075e1c5d2a80ccdec67b2734ae64c47a9bf23f18f8ea52c634cbeca8264890c4105b612dc705aa082d93d6144cf17985eebd1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e3d9dda98fadf34c450af95d7261cc84

SHA1
b1bb9e066598cb209bbb658b8be3128134f44e6b

SHA256
14762b8756fd0f02741520ce1baa815522c2e52d91784a129a077bc423aa6a65

SHA512
936721660e919d06420285abb58bf3760b6069839bb98cc5c819aa42b023812bae760558ddaef9478f89d107cc916ec81040d5ada50f126890af46c7c7ce3a12

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
58ccf23acd26b76c9e4025fd5245e6d8

SHA1
7be7f0c1bea57ecbe7703b06279b7b33ce9ab9fb

SHA256
0685ae61cde6a3672e68141e9e629cb635b4ebb20dbdd6ce56d71f916920df1e

SHA512
ee866ba921f91e743a23194343657fe8830687e9cc4d114f5bed38bb98af566e3a819115fc7afee5e83d8225be2720941e2ddf46be07d90822ec0ec9c2c96071

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
875e7aafe518c7a9467cbcab45ae8f1a

SHA1
6e5cb2df0d23c4d30b8d485f335f7c1350a64e78

SHA256
838f37610babdf703063f76c49789a95d4f1b03c082dabd2867d463acaaaa7f1

SHA512
5a4badd214b3980c396b5b34aa92a84c228d380a3ff1e0ecbdd318901fdf308abca925bbf6c11b689872d7e06d321721d1c3fae561a51ec0fafb1854b2ffc0ff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3726e69cf4104770bfddd27aacb4899c

SHA1
98aacd88b3aaef9838e4d87109a4efffbee3b36b

SHA256
624398c1fb05ee73785d4a4612589a53028fd014cd98184e15a3684b5c325d87

SHA512
32e430746f4a7024da8a2ea569fc3940933e758953ed8628d9337b3b8a5ad6f1c793e7235418eddd8542097a4c138eaaf3b666c588b23997a0a6a9eb617c2aa3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
fb98ec9a6acc8b495a46e9bf625c4082

SHA1
1a422daea2d7256a02dc83d81bafa724e34f5379

SHA256
0f620ad8564957385167ed5c2f064bbed28bf7898f7d7716878448784776c215

SHA512
99a34711162967b66edf09c2dbcbb0322ea26e6adc0d7ca799368d15b5b39234cee6a7ed3ad29690b4e44ff61c2531b14216c196719bb5c13bc3f803529f4e89

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
0267009d15aba62e7755a7f4b41b7675

SHA1
f64f45894c0b3106eda611c11ed373d534eb497b

SHA256
897ad1dc1fb6b6ce2ae49760381294b227ff9633f03f498b0dea3508fc8997fc

SHA512
dcb9a69ccab6aad2958937790f9cd006489634fb0e75144ec9edc160a40594bc10ba55540634b1e97d661dd6f9060564e27c5f74e37238dabe18dac400baa15c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
99c3893719ad4f4344230d0e0a529988

SHA1
41b834d21c84c9f8be479ca24e61f6930e963a67

SHA256
649f682927e6849fd6e2119a0fe14ba5a90f171dc7bb7e1f7d11fd7dd3b130be

SHA512
740462e60ceda913905a90248d1ed451aecfe8a7259f8acb6eef271596e6b9d87809844ba4cb0c553ad1640d978eb9b91fa58ca93894885ba470b11655d6a7f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
94edecebdc0108d061e25c9c4a7cf98d

SHA1
b4428ba5053a5fb45f018ebcd8481677f0bf037c

SHA256
5d3bfe9d1f48d4744f5979b1c8423fff1502722d173a9687c83809c0ff13747f

SHA512
8f218cfe0020bf7e3dd654a2a86da888f72a44ddf99a83dd522cbbec4ae3339d2451b02ec7989b45eeed63a0fdefee5e83894554b3e66892d8a197f19414965b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
076d1f87653f65ce690470b50f7b7dbf

SHA1
4f09079b9d0ab87cbbe19ad45ac5ae22a21e184e

SHA256
dae5acd33b4643cbe27d4df290739501f0fdaf9a2084219ed70040397ea4ef71

SHA512
507457a08f5a6672c9ff89e0bf038a30dd7524a17b83b23e86b40fa3bf3400c99ea130e63c22a02c7211564a786ec15bb56d5714fa5a09495a0d73cd1e55f572

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f58803feae4ef42b.bin

Filesize
12KB

MD5
d65b261a4487bc6aee311e2637f13f3d

SHA1
b060e0c379204aed076f178cddfafa37a8a47b50

SHA256
c360dba1ad2be62a645cd07a3557eed55f1f4ab0793c1e3293674a8b6be2759b

SHA512
e9cb237c0b8ce9fb77ddf109d81033696cb2dec653e7aac143933624174b9b44e1ab1f14dc87978160ade8c513f2dbfdfd0edaad8a66aa85faf2c4fe77ef2c01

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
577KB

MD5
144afcf3dd408b70fce1cc5fdaa7bb80

SHA1
dc6a0d3533cf6cb3792d76558b78ff3210148be0

SHA256
ed7634273273441009393ad1654dc8a99ee6f15360ca21f2bb88f32704970b40

SHA512
5f6994028238bef5430771029574e2fb0a3b7e4957bdb600780ca3c7a4232e8d3fb3b1f1eef7a63ac98da9f3be51200e7019905d563384e05a9f4a71e4476b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54ba26779e6f2075f91293f4f81c2fff\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ad8c0e759df25e0049d44e5aba4f3321

SHA1
4e1e19b1b5602937057170bf390db0091899af69

SHA256
4c31b7d8501b8914425568b1c3a228aeafa35b6cd6bfcd9cf55dfa511a71ede7

SHA512
f23471c6371f3828002e2ff168013cc01d7744299bd14c7d2117bc39261a9d10cf3bbbe87af08874990a2e20998ec7e3208bf16659ef9e895147e854509f88c4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b18032fd4f47cdfb18f4456362102d07\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
0f3d70277d7cdc8795b4489b4690fccc

SHA1
2eaae12ac74b5a0977190fb8919b89d1705a1436

SHA256
d8c1d9758d9a1f6c6ad43f0fc8bf6ea6781082a71f4d6bec5146ab7516547f19

SHA512
6eea322d3ab8fc88417d58bed4e67d86337425dae174e3326e65c3fdc2f65c9827a7273baf50a4d16913fe1850c158a50d92da34fcd0414df27ac8e148d3daaa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\dec1b45d1042ebc3c8b0fabb2dc5ee08\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
b10aeb5457f21ec383ccaab4b055e506

SHA1
9d36df2ecadfc15d6232888294d5ffc14fb95164

SHA256
b6961f00e67cf069517acd87d9daa3da7d6245e89f2df54d4190472ffc48c5fe

SHA512
51ae9bf87ee150012f46c313fb1cb8952cd508b87431418ac7f1b08c84664eb0aa9d6d8a37b49eee4f6f3ae3ccc34a64f9a489c03c10e11576fb37ce9b6936aa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
79c86916f4ff785d7fc488fc13ab9e29

SHA1
cc40be731a5a068a6c10afca0e2f06786a34d888

SHA256
e3690a5cc160bbdb8365df8abca6545832791f391cb69bbf6c03a8decfecd100

SHA512
3e22f0178ef62a1ac748472a2c85de61d7cd1ab814473f004006773209ea4df09c36d998873dbf6d5797bda152e4c8dd5a0816bb34e3d616993d6753856c3f93

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
6c5a2d9d0aa14d00301903df01971023

SHA1
e05311494643d3a6b7ff8866c2fc0f26697e82ad

SHA256
56b9a0e9a613140ba0bfd707846c3f3d103ec6a35a52d9bb0b47e071e241bef6

SHA512
28fb004be64af92bbec6204bae624ad69b1b95801925d079ec2af677b8f51674ece142300174c1f870186178da9afb2357a8090fd0f7cc6e49d05deb15aa15dc

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
c80baf5dc94840358761fda681791374

SHA1
00852a2413319092c2376c010ef417a5575acae3

SHA256
580ccd400c91ea800cb98bda433481e662d490977882158843b68876c65dbbcd

SHA512
b0d0626f47efa7fb461275c70be9340430f2401f8057e34e19d7cdf4a609396350265fa7bc3e0673e624f998ccd633e16a97cf33e87697e677d51248e1727f88

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
7657da488e89bf672bb409c74eafb784

SHA1
de0c59b8c9c18ab1e36859e61e4a314e83949762

SHA256
cbca7c78677ecf7f75fc08dbc4b6c2c8747a448a5dbaa15b9c0fc0f4b4e14b45

SHA512
b896b747e77a7baaea6c3916a6f692931a93bdaf0b531c3ee6550969988cb675790644361475bdc13581df00416a26c3829b3e715d8f43c5735d4182394e7d09

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9b5604b047778a8c7042034a9cbcbe2a

SHA1
a20e529a9592622dc4d37702656fb77223a7e1b0

SHA256
ba3f975eabd343fd221803f06499e9ed01370ab3f5a0d0ced3e484b88855b9a4

SHA512
e2d039339452168d90e6f162637f66d37c051f108075149129fcc3a2b8d614a044c619faafe6bd2a0a40fc117d6f2c7d6d6620163182d6ca9a846b0f8601a996

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
50e0e6000a2fbb3bcdcd46e0239a4a7a

SHA1
f62d3878d45ca2aed6f0801c753c38cf608c231f

SHA256
beae400b13d56a45e54202c7477fc7dffda8ee62053f10895aae2963bc640ba5

SHA512
f52e2f0485c335b4ce0614a068f3437dcd394706ffa5510d7811df3218399aaef95a088ac21bec665e69d569115abc1b4b5bafca61a58a6b574d1a33172fa288

Download Submit
memory/476-430-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/476-393-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/596-574-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/596-561-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/764-148-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/764-149-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/764-155-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/764-800-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/764-171-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/764-170-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/764-466-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/884-114-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/884-88-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/884-93-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/884-87-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/956-871-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1072-598-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1072-313-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1388-653-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1388-633-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1432-465-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1432-422-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1536-787-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1536-767-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1652-753-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-587-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-571-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1676-680-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1676-702-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1688-166-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1688-262-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1688-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1688-6-0x0000000001E20000-0x0000000001E87000-memory.dmp

Filesize
412KB

Download
memory/1688-1-0x0000000001E20000-0x0000000001E87000-memory.dmp

Filesize
412KB

Download
memory/1692-544-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1692-562-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1728-855-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1840-827-0x0000000001AE0000-0x0000000001B0A000-memory.dmp

Filesize
168KB

Download
memory/1840-821-0x00000000021D0000-0x000000000236E000-memory.dmp

Filesize
1.6MB

Download
memory/1840-390-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1840-824-0x0000000001CE0000-0x0000000001D68000-memory.dmp

Filesize
544KB

Download
memory/1840-818-0x0000000001AE0000-0x0000000001AFA000-memory.dmp

Filesize
104KB

Download
memory/1840-820-0x0000000001CE0000-0x0000000001D84000-memory.dmp

Filesize
656KB

Download
memory/1840-825-0x0000000001AE0000-0x0000000001B04000-memory.dmp

Filesize
144KB

Download
memory/1840-826-0x0000000001AE0000-0x0000000001AE8000-memory.dmp

Filesize
32KB

Download
memory/1840-816-0x0000000001AE0000-0x0000000001AEA000-memory.dmp

Filesize
40KB

Download
memory/1840-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1840-828-0x0000000001CE0000-0x0000000001D46000-memory.dmp

Filesize
408KB

Download
memory/1840-819-0x0000000001CE0000-0x0000000001D6C000-memory.dmp

Filesize
560KB

Download
memory/1840-817-0x0000000001AE0000-0x0000000001AFE000-memory.dmp

Filesize
120KB

Download
memory/1840-823-0x0000000001AE0000-0x0000000001AF0000-memory.dmp

Filesize
64KB

Download
memory/1840-118-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1840-822-0x00000000021D0000-0x00000000022BC000-memory.dmp

Filesize
944KB

Download
memory/1840-123-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1924-876-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-676-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-667-0x0000000003C30000-0x0000000003CEA000-memory.dmp

Filesize
744KB

Download
memory/1932-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1956-690-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-538-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2000-188-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2000-794-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2028-699-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2028-705-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-530-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2072-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2072-175-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2072-181-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2084-586-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2084-602-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2100-267-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2100-552-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2100-265-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2176-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2176-599-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-467-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-506-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-725-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2320-421-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2320-131-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2320-132-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2320-138-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2352-665-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-642-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2360-296-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2360-585-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2488-845-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-302-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2524-617-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-632-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-287-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2560-865-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-763-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2584-104-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2636-749-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2644-187-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2644-30-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2764-533-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-549-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-628-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-614-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-790-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2868-515-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-528-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2872-84-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2872-266-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2972-514-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2972-793-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2972-160-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2972-168-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2972-167-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3044-722-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3044-729-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download